b'     July 7, 2005\n\n\n\n\nInformation Technology\nManagement\nReport on Defense Property\nAccountability System Controls\nPlaced in Operation and Test of\nOperating Effectiveness for the\nPeriod September 1, 2004 through\nApril 30, 2005\n(D-2005-092)\n\n\n\n\n                 Department of Defense\n             Office of the Inspector General\n\n                                   Constitution of\n                                  the United States\n\n     A Regular Statement of Account of the Receipts and Expenditures of all public\n     Money shall be published from time to time.\n                                                             Article I, Section 9\n\x0c                                  INSPECTOR GENERAL\n                                DEPARTMENT OF DEFENSE\n                                   400 ARMY NAVY DRIVE\n                              ARLINGTON, VIRGkNIA 222024704\n\n\n\n\n                                                                                   July 7,2005\n\nMEMORANDUM FOR THE OFFICE OF THE UNDER SECRETARY OF DEFENSE,\n                 ACQUJSITTON, TECHNOLOGY, AND LOGISTICS\n               UNDER SECRETARY OF DEFENSE (COMPTR0LLER)ICHEF\n                 FINANCIAL OFFICER\n                 DEPUTY C H E F FINANCIAL OFFICER\n                 DEPUTY COMPTROLLER (PROGRAMBUDGET)\n               DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n               DIRECTOR, DEFENSE WORhfATION SYSTEMS AGENCY\n               COMMANDING OFFICER, NAVAL SUPPLY INFORMATION\n                 SYSTEMS ACTlVlTY\n\nSUBJECT:      Report on the Defense Property Accountabfili ty System Controls Placed in\n              Operation and Test of Operating Effectiveness for the Period September 1, 2004\n              through April 30,2005 (Report No. D-2005-092)\n\n        We are providing this report for your information and use. No written response no this\nreport is required. Therefore, we are publishing this report in final fom.\n\n       We appreciate the courtesies extended to the staff. Questions should be directed to\nMs. Addie M. Beirna at (703) 428-1 054 (DSN 328-1054) or YoIanda C. Watts at\n(703) 428-1 071 (DSN 328-1071). The audit team members are listed inside the back cover.\n\n                                    By direction of the Deputy Inspector General for Auditing:\n\n\n\n                                 /\'&,--PaulJ. ~ r a n e t t CPA\n                                                            ~,\n                                  Assistant Inspector General\n                                  Defense Financial Auditing\n                                              Service\n\x0cTable of Contents_________________________________\nForeward\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6i\n\nSection I\n   Independent Service Auditor\xe2\x80\x99s Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..1\n\nSection II\n   Description of the Defense Property Accountability System Operations and Controls\n   Provided by the Defense Finance and Accounting Service, the Defense Information\n   Systems Agency, and the Naval Supply Information Systems\n   Activity\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6..7\n\nSection III\n   Control Objectives, Control Activities, and Tests of Operating\n   Effectiveness\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...29\n\nSection IV\n   Supplemental Information Provided by the Defense Information Systems\n   Agency......................................................................................................................103\n\nAcronyms and Abbreviations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...107\n\nReport Distribution\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6............................109\n\x0c                                      FOREWORD\n\nThis report is intended solely for use by management of the Defense Finance and\nAccounting Service (DFAS), Defense Information Systems Agency (DISA), and Naval\nSupply Information Systems Activity (NAVSISA), the Defense Property Accountability\nSystem (DPAS) user organizations, and the independent auditors of such user\norganizations. Department of Defense personnel who manage and use the DPAS will\nalso find this report of interest as it contains information about DPAS general and\napplication controls.\n\nThe Department of Defense Office of Inspector General (DoD OIG) is implementing a\nlong-range strategy to conduct audits of DoD financial statements. The Chief Financial\nOfficer\xe2\x80\x99s Act of 1990 (P.L. 101-576), as amended, mandates that agencies prepare and\nconduct audits of financial statements. The reliability of information in DPAS directly\nimpacts DoD\xe2\x80\x99s ability to produce reliable, and ultimately auditable, financial statements;\nwhich is key to achieving the goals of the Chief Financial Officer\xe2\x80\x99s Act.\n\nDPAS provides financial reporting capability for capital assets (assets with a value\ngreater than $100,000), and asset accountability for more than 10.6 million property\nassets (assets with a value less than $100,000) valued at approximately $48.3 billion as\nof February 2005. DPAS provides standard general ledger accounting in conformance\nwith the United States Government Standard General Ledger (USSGL) at the transaction\nlevel and subsidiary reporting for capital assets. DPAS tracks accountability for various\ntypes of property including personal property, real property, and heritage assets. DPAS\nhas security features that provide asset visibility at many levels based on users\xe2\x80\x99 roles and\nneeds.\n\nThis audit assessed controls over DPAS accountability of assets totaling approximately\n$48.3 billion. This report provides an opinion on the fairness of presentation, the\nadequacy of design, and the operating effectiveness of key controls that are relevant to\naudits of user organization financial statements. As a result, this audit precludes the need\nfor multiple audits of DPAS controls previously performed by user organizations to plan\nor conduct financial statement and performance audits. This audit will also provide, in a\nseparate audit report, recommendations to management for correction of identified\ncontrol deficiencies. Effective internal control is critical to achieving reliable\ninformation for all management reporting and decision making purposes.\n\n\n\n\n                                              i\n\x0cSection I: Independent Service Auditors\xe2\x80\x99 Report\n\n\n\n\n                       1\n\x0c\x0c                                   INSPECTOR GENERAL\n                                  DEPARTMENT OF DEFENSE\n                                     400 ARMY NAVY DRIVE\n                                ARLINGTON, VIRGINIA 222024704\n\n\n\n                                                                                     July 7, 2005\n\nMEMORANDW FOR THE OFFICE OF THE UNDER SECRETARY OF DEFENSE,\n                ACQUISITION, TECHNOLOGY, AN13 LOGISTICS\n              UNDER SECRETARY OF DEFENSE (C0MPTROLLER)JCHIEF\n                FINANCWL OFFICER\n                DEPUTY CHIEF FINANCIAL OFFICER\n                DEPUTY COMPTROLLER (PROGRGMJBUDGET)\n              DWCTOR, DEFENSE FINANCE AND ACCOUNTING\n                SERVICE\n              DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY\n              COMMANDING OFFICER, NAVAL SUPPLY INFORMATION\n                SYSTEMS ACTIVITY\n\nSUBJECT:      Report on the Defense Property AccountabiIity System Controls Placed in\n              Operation and Test of Operating Effectiveness for the Period Septernbw 1, 2004\n              through April 30, ZOOS\n\nWe have examined the accompanying description of the general computer and application\ncontrols related to DPAS (Section 11) of this report. The DPAS program is overseen and\nmanaged by the Office of the Under Secretary of Defense, Acquisition, Technology and\nLogistics and used by 329 user groups throughout the Department of Defense (DoD). The\nDPAS system, induding general computer and application controls, is directly supported and\nmaintained by DFAS, DISA, and NAVSISA. Our examination included procedures to obtain\nreasonable assurance about whether (1) the accompanying description presents fairly, in all\nmaterial respects, the aspects of the controls at DFAS, DISA, and NAVSISA that may be\nrelevant to a DPAS user organizations\' internal controls as it relates to an audit of financial\nstatements; ( 2 ) the controls included in the description were suitably designed to achieve the\ncontrol objectives specified in the description if those controls were complied with\nsatisfactorily and uses organizations applied those aspects of internal control contemplated in\nthe design of the controls at DFAS, DISA, and NAVSISA; and (3) such controls had been\nplaced in operation as of April 30,2005.\n\nThe control objectives were specified by DaD OIG and accepted by DFAS, DPSA and\nNAVSISA. Our examination was performed in accordance with standards established by the\nAmerican Institute of Certified Public Accountants and the standards applicable to financial\naudits contained in Government Auditing Standards, issued by the Comptroller General of the\nUnited States, and included those procedures we considered necessary in the circumstances to\nobtain a reasonable basis for rendering our opinion.\n\nDPAS was used by the Army, Navy, and Defense Agencies, including the National Security\nAgency (NSA). The NSA had its own separate version of DPAS since its property infomation\nwas classified. In addition, the Navy used DPAS in a manner that is different than the way\nDPAS is used by the A m y and Defense Agencies. The accompanying description includes\n\x0cincludes only those general computer and application control objectives and related control\nactivities related to the nonclassified and non-Navy DPAS versions of the system. DPAS\ninterfaced with over 28 DoD systems that either received data from or transmitted data to\nDPAS. The accompanying description includes only those general computer and application\ncontrols related to the input and output processing of these data files and does not include\ngeneral computer and application controls over the source and destination systems that send\ndata files to or receive data files from DPAS. Finally, the accompanying description includes\nonly those application controls that were centrally managed and maintained by DFAS, DISA,\nand NAVSISA and does not include the application controls resident at DPAS user locations.\nTherefore, our examination did not extend to the general computer and application controls\nrelated to the classified and Navy versions of DPAS, the general computer and application\ncontrols over the source and destination systems that interfaced with DPAS, or the application\ncontrols resident at DPAS user locations.\n\nOur examination was conducted for the purpose of forming an opinion on the description of\nthe DPAS general computer and application controls at DFAS, DISA, and NAVSISA (Section\nII and the control activities described in Section III of this report). Information about business\ncontinuity plans and procedures at DISA, as provided by that organization and included in\nSection IV, is presented to provide additional information to user organizations and is not a\npart of the description of controls at DFAS, DISA, and NAVSISA. The information in Section\nIV has not been subjected to the procedures applied in the examination of the aforementioned\ndescription of the controls at DFAS, DISA, and NAVSISA related to their business continuity\nplans and procedures. Accordingly, we express no opinion on the description of the business\ncontinuity plans and procedures provided by DISA.\n\nIn our opinion, the accompanying description of the general computer and application controls\nat DFAS, DISA, and NAVSISA related to DPAS (Section II) presents fairly, in all material\nrespects, the relevant aspects of the controls at DFAS, DISA, and NAVSISA that had been\nplaced in operation as of April 30, 2005. Also, in our opinion, the controls, as described, were\nsuitably designed to provide reasonable assurance that the specified control objectives would\nbe achieved if the described controls were complied with satisfactorily and users applied those\naspects of internal control contemplated in the design of the controls at DFAS, DISA, and\nNAVSISA.\n\nIn addition to the procedures that we considered necessary to render our opinion as expressed\nin the previous paragraph, we applied tests to specified controls, listed in Section III, to obtain\nevidence about their effectiveness in meeting the related control objectives described in\nSection III during the period from September 1, 2004, to April 30, 2005. The specific control\nobjectives, controls, and the nature, timing, extent, and results of the tests are listed in Section\nIII. This information has been provided to DPAS user organizations and to their auditors to be\ntaken into consideration, along with information about the user organizations\xe2\x80\x99 internal control\nenvironments, when making assessments of control risk for such user organizations.\n\nA number of controls in place to ensure compliance with DoD information assurance policies,\nincluding DoDI 8500.2 and DoD Information Technology Security Certification and\nAccreditation Process (DITSCAP) appear to be suitably designed, but our tests of operating\n\n\n\n                                                 4\n\x0ceffectiveness indicated inconsistencies in adherence to these policies. In performing our\nexamination, we identified the following deficiencies relating to the operating effectiveness of\ncontrols in operation for the period September 1, 2004, to April 30, 2005:\n\n \xe2\x80\xa2 DISA recorded the system audit trails generated by DPAS. However, DISA did not\n    proactively monitor DPAS system audit trails. As a result, DPAS\xe2\x80\x99s controls did not\n    provide reasonable assurance that the following control objectives were fully achieved\n    during the period from September 1, 2004 to April 30, 2005:\n\n       \xe2\x80\xa2   \xe2\x80\x9cTools are available for the review of audit records and for report generation from\n           audit records\xe2\x80\x9d (general computer control objective 34);\n\n       \xe2\x80\xa2   \xe2\x80\x9cPolicies and techniques have been implemented for using and monitoring the use\n           of system utilities\xe2\x80\x9d (general computer control objective 72); and\n\n       \xe2\x80\xa2   \xe2\x80\x9cInstallation of system software is documented and reviewed\xe2\x80\x9d (general computer\n           control objective 74).\n\n \xe2\x80\xa2 DISA had documented standard operating procedures covering the DPAS-related\n    operations at DISA Ogden. However, those standard operating procedures were outdated\n    and incomplete. As a result, DPAS\xe2\x80\x99s controls did not provide reasonable assurance that\n    the following control objectives were fully achieved during the period from September 1,\n    2004 to April 30, 2005:\n\n       \xe2\x80\xa2   \xe2\x80\x9cPolicies and techniques have been implemented for using and monitoring the use\n           of system utilities\xe2\x80\x9d (general computer control objective 72) and\n\n       \xe2\x80\xa2   \xe2\x80\x9cFormal procedures guide personnel in performing their duties\xe2\x80\x9d (general computer\n           control objective 80).\n\n \xe2\x80\xa2 DISA performed certain procedures to process and monitor system transaction files, as\n    well as certain procedures to correct errors and problems associated with transaction file\n    processing. However, those procedures were not documented. In addition, the majority\n    of the transaction processing, monitoring, and error correction functions were performed\n    by one individual at DISA who was the only person who had the full technical knowledge\n    of DPAS to perform all of the functions. The unavailability of this person could impact\n    the timeliness and quality of system transaction file processing. As a result, DPAS\xe2\x80\x99s\n    controls did not provide reasonable assurance that the following control objective was\n    fully achieved during the period from September 1, 2004 to April 30, 2005: \xe2\x80\x9cControls\n    provide reasonable assurance that erroneous transactions are identified without being\n    processed and without undue disruption of the processing of other valid transactions,\xe2\x80\x9d\n    (application control objective 11).\n\n \xe2\x80\xa2 DISA performed vulnerability testing to identify DPAS\xe2\x80\x99s architecture vulnerabilities.\n    However, DISA did not perform periodic network penetration testing. As a result,\n    DPAS\xe2\x80\x99s controls did not provide reasonable assurance that the following control objective\n    was fully achieved during the period from September 1, 2004 to April 30, 2005:\n    \xe2\x80\x9cConformance testing that includes periodic, unannounced, in-depth monitoring and\n\n\n                                               5\n\x0c    "Conformance testing that includes periodic, unannounced, in-depth monitoring and\n    provides for specific penetration testing to ensure compliance with all vulnerability\n    mitigation procedures is planned, scheduled, and conducted," (general computes control\n    objective 48).\n\nIn our opinion, except for the matters described in the preceding paragraphs, the controls that\nwere tested, as described in Section ITI, were operating with suficient effectiveness to provide\nreasonable, but not absolute, assurance that the control objectives specified in Section U1 were\nachieved during the period from September 1,2004 to April 30,2005. However, the scope of\nour engagement did not include tests to determine whether control objectives not listed in\nSection 111were achieved; accordingly, we express no opinion on the achievement of control\nobjectives not included in Section III.\n\nThe relative effectiveness and significance of specific controls at DFAS, DISA, and NAVSISA\nand their effect on assessments of control. risk at user organizations are dependent on their\ninteraction with the internal control environment and other factors present at individual user\norganizations. We have performed no procedures to evaluate the effectiveness of internal\ncontrols placed in operation at individual user organizations.\n\nThe description of the controls at DFAS, DISA, and NAVSISA is as of April 30,2005, and\ninformation about tests of their operating effectiveness covers the period from September I ,\n2004 to April 30,2005. Any projection of such information to the future is subject to the risk\nthat, because of change, the description may no longer portray the system in existence. The\npotential effectiveness of specific controls at DFAS, DISA, and NAVSlSA is subject to\ninherent limitations, and accordingly, errors or fraud may occur and not be detected.\nFurthemore, the projection of any conclusions, based on our findings, to future periods is\nsubject to the risk that (1) changes made to the system or controls, (2) changes in processing\nrequirements, or (3) changes required because of the passage of t h e may alter the validity of\nsuch conclusions.\n\nThis report is intended solely for use by management of DFAS, DTSA, and NAVSISA, the\nDPAS user organizations, and the independent auditors of such user organizatjons.\n\n\n                                      By direction of the Deputy Inspector General for Auditing:\n\n\n                                    {I"Paul\n                                  ~ G T\n                                       id%J.   u&,     II. flli/uy/C/\n                                              ranetto, CPA\n                                  Assistant Inspector General\n                                  Defense Financial Auditing\n                                            Service\n\x0cSection II: Description of Defense Property Accountability System\n Operations and Controls Provided by the Defense Finance and\nAccounting Service, the Defense Information Systems Agency, and\n          the Naval Supply Information Systems Activity\n\n\n\n\n                                7\n\x0c\x0cII. Description of the Defense Property Accountability System\nOperations and Controls Provided by the Defense Finance and\nAccounting Service, Defense Information Systems Agency, and\nNaval Supply Information Systems Activity\n     A. Overview of DPAS\n\n     History\n\n     The Under Secretary of Defense (Comptroller) and the Assistant Secretary of\n     Defense for Command, Control, Communication and Intelligence designated\n     DPAS as a migratory system in Fiscal Year 1995 to bring DoD real and personal\n     property assets under proper accountability and financial control. At that time,\n     DoD real and personal property were considered high-risk areas by the audit\n     community. DoD activities began migrating data to DPAS in 1995. By 2001,\n     DPAS was nearly fully deployed throughout DoD. The Army, Navy, Marine\n     Corps and 22 Defense Agencies adopted DPAS; the Air Force did not. DPAS is\n     considered a legacy system that will be replaced by 2012 as part of Enterprise\n     Resource Plan initiatives at the Army, Navy, Marine Corps, and Defense\n     Logistics Agency. An acquisition strategy is currently being developed to\n     determine the appropriate modernization strategy for DPAS. DPAS is\n     administered by the Under Secretary of Defense (Comptroller) and the Office of\n     the Under Secretary of Defense, Acquisition, Technology and Logistics.\n\n\n     System Capabilities\n\n\n     DPAS provides financial reporting capability for capital assets (assets with a\n     value greater than $100,000), and asset accountability for more than 10.6 million\n     property assets (assets with a value less than $100,000) valued at approximately\n     $48.3 billion as of February 2005. DPAS provides standard general ledger\n     accounting in conformance with the USSGL at the transaction level and\n     subsidiary reporting for capital assets. DPAS tracks accountability for various\n     types of property, including personal property, real property, and heritage assets.\n     DPAS has security features that provide asset visibility at many levels based on\n     users\xe2\x80\x99 roles and needs.\n\n     DPAS provides DoD users with full support for property accountability,\n     management, and financial reporting. Specifically, it provides the capability to\n     update item authorizations, perform asset cataloging actions, assign\n     accountability, perform accountable record processing (such as receipts, turn-in,\n     transfers, and inventory tracking and status), account for government furnished\n     property, compute depreciation, generate general ledger transactions, update\n     subsidiary and general ledger records, report financial status, maintain an\n\n                                          9\n\x0cautomated document register, and report disposals. DPAS also supports various\nmaintenance requirements including tracking preventive maintenance schedules\nand actions, generating work orders, and tracking warranty, loan and lease data.\nDPAS users have the ability to choose the DPAS functionality they want to use to\nmeet their property accountability needs. In addition to standard reporting\ncapabilities, DPAS provides users with commercially developed ad hoc query and\nreport writing software. This toolset allows DPAS users to create and save\ncustom queries and reports to meet any special reporting requirements that the\nstandard DPAS reports do not support.\n\n\nSystem Interfaces\n\nDPAS\xe2\x80\x99s primary interface is keyboard input using the Government off-the-Shelf\n(GOTS) client/server software provided to its users. The majority of the inputs\nare real-time with the updates being performed immediately. In the instance of\nbatch processing, users generate \xe2\x80\x9cBatch Requests\xe2\x80\x9d real-time which are then stored\nin a database table for subsequent processing during the batch cycle. Validation\nof the real-time input is performed by the client software whenever possible.\nShould the validation require cross-validation with other table data not resident\nwithin the window, the validation will occur within the server software prior to\nprocessing. The GOTS software provides users update processes, ad hoc query\nprocesses and standard reports.\n\nDPAS has one internal interface that uses DPAS-developed software to accept\ninventory data generated by Portable Data Collection Devices (PDCDs), also\nreferred to as scanners. Users export a file from their terminal to the PDCD that\ncontains information about inventories to be conducted. Upon completion of\nthe inventories, the results are exported from the PDCD back to the user\xe2\x80\x99s\nterminal. From the user\xe2\x80\x99s terminal, the DPAS client software updates user\ndatabases. Some PDCDs may be capable of communicating wirelessly. In\nthose instances, the PDCD is configured to communicate with DPAS client\nsoftware, which in turn processes the updates on a near real-time basis.\n\nWith the exception of the Unit Level Logistics System \xe2\x80\x93 Supply (ULLS-S4),\nwhich is a PC-based self-contained application that uses a floppy diskette, or\nother similar media, all external interfaces use File Transfer Protocol/Secure File\nTransfer Protocol to communicate with DPAS. DPAS interfaces with 26 external\nsystems. All interfaces are documented with a service level agreement that\ncontains contact information, data file layouts, file transmission procedures, and\nfrequency of transmission information. With the exception of ULLS-S4, Army\nMaterial Command Installation Supply System, and Standard Army Retail Supply\nSystem, all interfaces are managed by the DISA DPAS operations support team.\n\n\nIn addition to system interfaces, there are data flows between various DPAS\n\n                                    10\n\x0cmodules. To build a property record, data is initially entered using the Catalog\nmodule with each distinct asset being catalogued with a Stock Number. The\nCatalog module maintains management data pertaining to the asset with that data\nflowing from the Catalog module to the Authorization and Document Register\nmodules. The Document Register assigns document numbers, updates status,\ncloses completed actions, and provides visibility for open and closed actions. The\nAuthorization Module feeds data to the Hand Receipt module to provide a link\nbetween assets on-hand and the authorization to obtain, retain or turn-in an asset.\nThe Hand Receipt module provides the capability to process all actions that affect\nasset balances. The Hand Receipt module creates accounting transactions when\ngains or losses for capital assets occur and feeds data to the Accounting\nModule generating asset expense and depreciation data. The Hand Receipt also\nprovides data to the Maintenance and Utilization module.\n\nExternal interfaces are grouped by function as follows:\n\n   \xe2\x80\xa2   Accounting - Accounting information, including depreciation data, are\n       interfaced from the DPAS database to selected accounting management\n       systems. The accounting interface is a one-way outbound interface that\n       provides capital asset general ledger and accounting information to cost\n       accounting systems such as Standard Industrial Fund System, Defense\n       Business Management System, Financial Accounting and Management\n       Information System, Washington Headquarters Services Allotment\n       Accounting System, Logistics Modernization Program, and Electronic\n       Business. These interfaces typically occur daily with data sent to the\n       accounting system when there is accounting transaction activity. Plans are\n       under way to add additional accounting interfaces with the Defense\n       Working Capital Accounting System; Standard Accounting and Reporting\n       System; Standard Accounting, Budget, and Reporting System; and\n       Defense Corporate Database.\n\n   \xe2\x80\xa2   Authorization - The authorization interface is a one-way inbound interface\n       that supports Army DPAS users by providing equipment authorization\n       requirements from the Logistics Army Authorization Document System.\n       The Logistics Army Authorization Document System data provides users\n       with current and projected equipment requirements. Users review this\n       data to determine whether there is sufficient equipment on-hand to fulfill\n       their mission, when to submit requisitions to cover equipment shortages,\n       and when to initiate turn-in actions for excess equipment. The Logistics\n       Support Activity within the Department of the Army is responsible for\n       sending the file containing Logistics Army Authorization Document\n       System data.\n\n   \xe2\x80\xa2   Asset Visibility - Asset visibility interfaces are one-way outbound\n       interfaces that provide data extracts of asset information based on the\n       needs of receiving systems. DPAS has active interfaces with the Unique\n       Item Tracking and Command Asset Visibility and Equipment\n                                    11\n\x0c    Redistribution System. Unique Item Tracking is used to report Army\n    reportable assets to the Continuing Balance System Expanded and to\n    report Small Arms to the Department of Defense Small Arms Serialization\n    Program registry and Cryptology assets to the Controlled Cryptographic\n    Item registry. The Unique Item Tracking interface typically occurs daily\n    with data being sent to Logistics Support Activity when there are Army\n    reportable asset transactions. The Command Asset Visibility and\n    Equipment Redistribution System interface occurs once a week. Both\n    interfaces are controlled by automated system scheduling software.\n\n\xe2\x80\xa2   Catalog - Catalog interfaces are all one-way inbound interfaces. There are\n    active catalog interfaces with Federal Logistics Data, Supply Bulletin 700-\n    20, Army Master Data File, and National Defense Equipment. These\n    interfaces provide DPAS users with current information concerning\n    National Stock Numbers. This information is used by DPAS users to\n    requisition materials and catalog assets. The interface frequencies range\n    from \xe2\x80\x9cAs Needed\xe2\x80\x9d (when updates occur) for the National Defense\n    Equipment, to Semi-Annual for the Supply Bulletin, to monthly for\n    Federal Logistics Data and the Army Master Data File. Defense Logistics\n    Information Service is responsible for sending Federal Logistics Data to\n    DPAS and the Logistics Support Activity is responsible for sending the\n    Supply Bulletin, Army Master Data File and National Defense Equipment\n    data.\n\n\xe2\x80\xa2   Excess - The excess interface is a two-way interface that supports the\n    redistribution of information technology (IT) assets. The interface\n    exchanges asset disposal information with the Defense Reutilization and\n    Marketing Automated Information System. This interface is used to\n    notify managers of excess assets. The Defense Reutilization and\n    Marketing Automated Information System provides DPAS with\n    information about sites that accept excess assets and with information\n    concerning schools that have been approved to participate in the\n    Computers for Learning program.\n\n\xe2\x80\xa2   Hand Receipt - The hand receipt interface is a one-way outbound interface\n    that supports feeding asset information to the ULLS-S4 system. The\n    interface is used to provide DPAS ULLS-S4 users (typically active Army\n    or National Guard units that are stationed at an Army post, camp, or\n    station) information concerning assets acquired by their activity. The data\n    from DPAS is merged with the activity\xe2\x80\x99s own asset data within ULLS-S4\n    to provide users with a complete picture of assets for which they are\n    responsible. The DPAS user executes this interface in near real-time\n    when there is a need.\n\n\xe2\x80\xa2   Maintenance - The maintenance interface is a one-way outbound interface\n    that supports feeding asset information to external maintenance systems.\n    DPAS has an active maintenance interface with the Facility Equipment\n\n                                12\n\x0c    Management System. The interface is used to provide maintenance\n    systems with new equipment receipts, equipment turn-ins, and changes in\n    the status of existing equipment such as serial numbers, bar codes,\n    locations, and accumulated depreciation. The interface provides the\n    maintenance system with approximately 40 attributes on each piece of\n    equipment identified for maintenance and utilization tracking. This\n    interface occurs daily when there is activity and is controlled by\n    automated system scheduling software.\n\n\xe2\x80\xa2   Real Property - The real property interface is a two-way interface. DPAS\n    has active real property interfaces with the Integrated Facilities System\n    and the Planning Resource Infrastructure Decision Evaluation System.\n    The interfaces are used to accept real property information in DPAS.\n    During posting, accounting transactions are generated for transmission to\n    accounting systems. When capital improvements are input directly into\n    DPAS, DPAS generates transactions back to the real property systems to\n    advise them of the improvement. During the DPAS depreciation cycle,\n    DPAS transmits Accumulated Depreciation records to real property\n    systems to update the book value of each asset. This interface typically\n    occurs daily when there is activity and is controlled by automated system\n    scheduling software. The real property systems are responsible for\n    initiating the transmission and receipt of data.\n\n\xe2\x80\xa2   Receipts - The receipts interface is a two-way interface. DPAS has an\n    active receipts interface with the Base Operations Support System. The\n    interface is used to accept information concerning personal property assets\n    posted to users\xe2\x80\x99 accounts. Records that reject or are not accepted are sent\n    back to the sending system to advise them that the record was not\n    accepted. This interface typically occurs daily when there is activity and\n    is controlled by automated system scheduling software. Receiving\n    systems are responsible for initiating the transmission and receipt of data.\n\n\xe2\x80\xa2   Supply - Supply interfaces are two-way interfaces that provide users with\n    the ability to perform requisitioning actions using DPAS processes. For\n    the Army Material Command Installation Supply System and the Standard\n    Army Retail Supply System interfaces, these requisitions are transmitted\n    electronically to the Supply Support Activity. The Supply Support\n    Activity issues the material from local stock, or forwards the request to the\n    wholesale level for issuance or to the contracting system for local\n    purchase. In the case of the Defense Automatic Addressing System\n    interface, requisitioning is limited to National Stock Numbers. These\n    requisitions are transmitted directly to the Defense Automatic Addressing\n    System, which in turn retransmits them to the correct Inventory Control\n    Point for issuance. All of the supply systems send requisition status\n    information back to DPAS and DPAS updates the users\xe2\x80\x99 requisitions\n    electronically. With the exception of the Defense Automatic Addressing\n    System interface, which is controlled by automated system scheduling\n\n                                 13\n\x0c                  software, these interfaces typically occur daily and are initiated by the\n                  user.\n\n      Figure 1 below provides a graphical representation of the DPAS data flow.\n\n\n Figure 1:\n\n                                                 DPAS Data Flow\n\n\n                           Maintenance & Utilization Data        Maintenance & Utilization Data\n                             Catalog Data                               Inventory Status\n                              Accounting Data                                                             DPAS END\n   DPAS END                                                                Accounting Data\n    USER                          Authorization Data                                                       USER\n                                                                             Authorization Data\n                                    Asset Data\n\n                  Property Management Data\n         Inquiries and Report\n                                                                                           Accounting Data\n\n                                                      DEFENSE\n   SYSTEM                                             PROPERTY                          Real Property Data\n\nADMINISTRATOR                                      ACCOUNTABILITY\n                                                                                      Requisition Data\n                                                       SYSTEM\n             Requisition Status\n\n\n\n                         Catalog Data\n                                                                                   Inventory\n                           Supply Requests\n   EXTERNAL                                                                                                EXTERNAL\n                                                                          Daisy (Redistribution)\n INTERFACES                  Authorization Data                                                          INTERFACES\n                                  Excess Data                      Maintenance & Utilization Data\n\n\n\n\n      System Architecture\n\n\n      DPAS operates in a client-server environment. This environment\n      provides the application support, operations, backup, and recovery for\n      the DPAS mission. The client environment is comprised of multiple\n      sites employing workstations with connectivity to the server\n      environment. Client connectivity is provided by the server site based on\n      authenticated users with valid internet protocol addresses. DPAS\n      system servers support all DoD agency databases using the DPAS\n      application for property accountability. The server environment consists\n      of the application software, operating system, database, and hardware.\n\n      The DPAS database is a relational collection of data associated with property\n      accountability and equipment management. There are 329 relational databases\n      supporting a worldwide geographical dispersion of multiple agencies and\n                                                            14\n\x0ccommands. DPAS database files reside on magnetic disk. Magnetic tapes are\nused for off-line backups of the databases. The storage requirement for each\ncustomer database is based primarily on the number of items on the customer\'s\nproperty book. The minimum storage requirement for the DPAS common\ndatabase is 1.3 Gigabytes. This supports up to 15,000 property book items. Each\nadditional 15,000 property book items increases the storage requirement by 20\nMegabytes. The database permits asset authorization, cataloging, accountable\nrecord processing, financial processing, equipment maintenance, and equipment\nutilization. The DPAS Common database is comprised of several individual\ncustomer databases and one DPAS Excess database. The physical structure of the\nDPAS database is such that access to individual databases and the Excess\ndatabase by the application software is DPAS platform-transparent (the\napplication software is not dependent on the physical location of databases as\nconfigured across DPAS platforms). Individual site DPAS databases are resident\non the DPAS production servers located at DISA Dayton. The minimum storage\nrequirement for the DPAS Excess database is also 40 Megabytes. In the event of\ndata loss or corruption, the entire DPAS database can be restored from daily tape\nbackups.\n\nThe hardware platforms for the DPAS application are Hewlett Packard (HP)\nL2000, HP K570, HPI70, HPK220, and HPK400 servers. The operating system\nis a HP-UX Release 11 Operating System with multi-user licensing for concurrent\nusers. Development software includes Micro Focus Version 4.0 COBOL with\ndatabase environment of Cincom SUPRA 2.9.X Relational Database Management\nSystem (UNIX/Client Server version) and Micro Focus Application-to-\nApplication. Servers are remotely managed by system administrators in the DISA\nOgden System Management Center (SMC) located at Hill Air Force Base, Ogden,\nUT.\n\nSecurity against unauthorized access to the DPAS database is controlled at\nseveral levels. End-user access is controlled by the operating system and Remote\nDefense Business Management System software, as well as by DPAS application\nsoftware. Database support and maintenance operations can be done only by\nthose individuals designated as database administrators or system administrators.\n\nB. Control Environment\n\nManagement Oversight\n\nDPAS is a centrally funded and managed program. The Program Manager for\nDPAS reports to the Deputy Director, Acquisition Resources and Analysis,\nProperty and Equipment Policy Office, which reports to the OUSD(C) and the\nOUSD, AT&L. The DPAS Program Management Office is located at DFAS,\nColumbus, Ohio, which provides direct operational oversight for the program and\nsupports all customer service requirements (including data conversions,\ncentralized help desk support, training, quality assurance, site support, e-learning,\nand website services). DFAS coordinates with DISA SMC Ogden to provide\n\n                                     15\n\x0c       program IT infrastructure support. Additionally, DFAS and DISA Ogden SMC\n       work closely with NAVSISA for all DPAS software development, maintenance,\n       and testing. Finally, these entities work closely with the DPAS Configuration\n       Control Board (CCB), made up of headquarters level property managers\n       representing the user community, to review the application\xe2\x80\x99s functionality,\n       propose changes, and provide recommendations as needed. The CCB meetings\n       also provide DoD property managers with a forum to learn from each other and\n       share solutions to common problems. Figure 2 below provides a graphical\n       representation of the DPAS oversight and support structure.\nFigure 2:\n\n                            DPAS Organization\n\n\n   Propertyand\n  Property  and\n    Equipment              Configuration Control\n   Equipment\n     Program                      Board\n    Program\n\n\n                                                         Central Design Activity\n                                     AdHoc\n                                        Hoc            (NAVSISA, Mechanicsburg, PA)\n      Program\n     Program                        Ad             \xe2\x80\xa2 Software Development\n    Management                        User\n                                     User\n   Management                                      \xe2\x80\xa2 Software Maintenance\n        DPAS                         Groups\n                                    Groups\n       DPAS                                        \xe2\x80\xa2 Customer Support\n\n\n\n\n                                                            System Support\n            Program Management Support                      (DISA- Ogden, UT)\n                   (DFAS, Columbus, OH)             \xe2\x80\xa2 Management\n    \xe2\x80\xa2 Fielding & Conversion                         \xe2\x80\xa2 System Operation & Security\n    \xe2\x80\xa2 Field Training & User Support                 \xe2\x80\xa2 Help Desk\n    \xe2\x80\xa2 Data Integrity & QA\n    \xe2\x80\xa2 Help Desk\n\n                                                            System Support\n                                                         (DISA-Dayton, OH)\n                                                    \xe2\x80\xa2 Database Storage & Management\n                                                    \xe2\x80\xa2 System Operations\n\n\n\n       Personnel Policies and Procedures\n\n       Hiring practices at each of the service organizations are in accordance with DoD\n       Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d February 6,\n       2003, availability control, \xe2\x80\x9cIA Documentation,\xe2\x80\x9d which requires that all\n       appointments to required IA roles are established in writing, including assigned\n       duties and appointment criteria such as training, security clearance and IT-\n       designation. DPAS management, support employees, and contractors at DFAS,\n       DISA, and NAVSISA are required to review applicable administrative orders,\n       policies, and procedures with the Human Resource Office and must complete\n       appropriate forms to gain access to the DPAS System. New employees meet with\n       the Information Systems Security Manager to understand their roles and\n\n                                              16\n\x0cresponsibilities. The Information Systems Security Manager is responsible for:\n(1) providing basic systems security awareness training (2) securing civilian and\ncontractor signatures on Automated Data Processing Security Awareness\ndisclosure forms, (3) identifying to the employee who their Terminal Area\nSecurity Officer (TASO) is and what the TASO\xe2\x80\x99s responsibilities are, and\n(4) notifying appropriate personnel to provide access to DPAS when an employee\nor contractor is hired or terminated.\n\nThe mission assurance category (MAC) of an information system reflects the\nimportance of information relative to the achievement of DoD goals and\nobjectives, particularly the war fighter combat mission. MACs are the basis for\ndetermining availability and integrity control requirements. In accordance with\nDoD Directive 8500.1 and DoD Instruction 8500.2, the MAC for DPAS has been\ndetermined to be MAC III. MAC III is defined as a system that, \xe2\x80\x9c\xe2\x80\xa6handles\ninformation necessary to conduct day-to-day business, but does not materially\naffect support to deployed or contingency forces in the short-term.\xe2\x80\x9d MAC III\napplications require protective measures, techniques, or procedures generally\ncommensurate with commercial best practices. The confidentiality level of the\nsystem has been established as Sensitive. The DPAS System Security\nAuthorization Agreement (SSAA) addresses the requirements for background\nchecks, gaining access to the application, and segregation of duties for support\npersonnel and the user community. This includes controlling access to DPAS by\nusing identification and authentication mechanisms such as User IDs and\npasswords, and using discretionary access, auditing, and object reuse controls.\nDPAS operates with the following objectives:\n\n   a. DPAS information shall be handled as sensitive but unclassified.\n\n   b. Adequate measures shall be in effect to ensure that data is being\n      transferred securely across communication channels.\n\n   c. All access through firewalls will be authenticated.\n\n   d. Identification and Authentication will be accomplished within DPAS by\n      using unique user logins and passwords.\n   e. Discretionary Access Controls will be implemented within databases.\n\nUser Accounts are managed by the System Administrator located at the DISA\nOgden SMC and by Site Security Officers. Personnel requesting access to DPAS\nare required to submit a System Authorization Access Request (SAAR), DD\nForm 2875, including the status of the user\'s background check and clearance\nlevel to the DISA Ogden Security Office prior to being granted access.\nCompletion of the form requires the user to accept the User Agreement to comply\nwith DISA and DoD security policies and the responsibility for safeguarding\ninformation contained in the system. Within their capabilities, each user shall\nprotect information and automated information systems resources against\nsabotage, tampering, denial of service, espionage, fraud, misappropriation,\nmisuse, or release to unauthorized persons. Users shall report all such\n\n                                   17\n\x0coccurrences to their TASO or Information Assurance Officer (IAO) immediately.\n\nDPAS developers and maintainers at DFAS, DISA, and NAVSISA, as well as the\nend users, are required to have favorable personnel background investigations.\nThe level of investigation depends on the sensitivity level of the automated data\nprocessing (ADP) position assigned to each individual in accordance with the\nDoD 5200.2-R, \xe2\x80\x9cPersonnel Security Program Regulation,\xe2\x80\x9d issued January 1987,\nand the DoD 5220.22-M, \xe2\x80\x9cNational Industrial Security Program Operating\nManual,\xe2\x80\x9d issued January 1995.\n\nIndividuals in positions designated ADP-I require a Single Scope Background\nInvestigation. Examples of positions that are designated ADP-I are Designated\nApproving Authorities (DAA), Program Managers, System Managers,\nInformation System Security Managers, and Network Security Managers. All\nlocal area network administrators who have the ability to assign user-IDs and\npasswords or the capability to grant access to sensitive files will also occupy\nADP-I positions. The Director of DFAS may assign ADP-I sensitivity levels to\nother unique positions.\n\nIndividuals in positions designated ADP-II and ADP-III require a National\nAgency Check Plus Written Inquiries, or an equivalent level of investigation.\nPersons assigned ADP-II designations do not make executive decisions regarding\nmanagement of IT systems, hardware, or software, and are subordinate to ADP-I\npositions. These positions include IAOs, TASOs, application and systems\nprogrammers, operators, customer service personnel, schedulers, tape librarians,\nand secretaries. All other positions involved in DPAS activities should be\nassigned ADP-III except for contractor positions that require a National Agency\nCheck investigation only.\n\nTraining\n\nPersonnel at DFAS, DISA, and NAVSISA are required to complete continuing\neducation. Training objectives for continuing education are captured in the\nIndividual Development Plans by each individual and their supervisor.\n\n\nDPAS training is obtained by service organization personnel through the DPAS\nSecurity Awareness Guide, DPAS Operational Support Team Troubleshooting\nGuide, and Knowledge Management system. The DISA Online Training System\nprovides training-related technical services used in the DPAS application.\nSupport personnel at DFAS, DISA, and NAVSISA are required to receive annual\nsecurity awareness training through their respective agency or service. Each\nagency or service is required to follow the DoDI 8500.2 guidelines in providing\nsecurity awareness training. In addition, DPAS application-specific security\ntraining covers roles and responsibilities for the DPAS end user. Documentation\nof training is recorded in an attendance roster and a certificate of completion is\nprovided to each user. Training is monitored for content and kept up-to-date by\n\n                                    18\n\x0cagency or service security and training coordinators. Training for the user\ncommunity is offered by DFAS but is not required.\n\nSecurity training focuses on those processes that ensure only authorized users\ngain access to the application and specific programs. DPAS IAO\xe2\x80\x99s and Technical\nPoints of Contact are provided training for proper access control and setting up\nuser profiles at the DPAS program and user levels. This training is provided in\nconjunction with the standard courses for DPAS Basic and Basic Plus.\n\nThe DPAS User Training Manual addresses administrative issues such as granting\nsecurity access, assigning multiple accountable UICs to users, modifying the\nDPAS program, and user access. In addition, DPAS users receive the DPAS\nSecurity Awareness Guide that explains security awareness and appropriate\nmeasures to safeguard the system. The guide is provided to users when new\naccounts are set up, during training, and annually.\n\nC. Monitoring\n\nManagement and supervisory personnel at DFAS, DISA, and NAVSISA monitor\nthe performance quality and internal control environment as a normal part of their\nactivities. DFAS, DISA, and NAVSISA implemented a number of management,\nquality assurance, and operational reports that help monitor the performance of\nDPAS processing as well as the DPAS system itself. These reports are reviewed\nby DFAS, DISA, and NAVSISA. Corrective action is taken as necessary. DPAS\nprocessing problems and exceptions to normal or scheduled processing through\nhardware or software are logged, reported, and resolved.\n\nDISA Field Security Operations\n\nDPAS is subject to a System Readiness Review (SRR) process that consists of\nrunning automated SRR scripts and manual checks to compare DPAS system\nsecurity settings to recommended security settings documented in the DISA\nSecurity Technical Implementation Guides (STIGs). These SRRs include only\nthe software portion of the STIG. The SRR process is performed on the DPAS\noperating system, the database management system, and web services. DISA\nsystem administrators are responsible for executing and tracking the SRR\nprocesses on a weekly basis. Findings noted during the SRR processes are\nmonitored at DISA, Montgomery, AL. The DISA Field Security Operations\n(FSO) performs SRRs of systems supported by DISA to determine whether those\nsystems are in compliance with relevant STIGs. The SRR performed by the FSO\nis a full STIG compliance review that typically occurs annually. The DPAS\nsystem components that are maintained by DISA are subject to FSO reviews. The\nFSO is independent of the DISA Ogden management structure and does not\nmaintain or configure DPAS systems.\n\nFindings noted during the FSO SRR process are categorized according to severity\nand tracked in the Vulnerability Management System (VMS) database. VMS is\n\n                                    19\n\x0can online web based database with access protected by user IDs and user security\nprofiles. System Administrators, IAOs or Information Assurance Managers\n(IAM) have the responsibility to close findings in the database as they are\nmitigated in the systems. A member of the FSO staff must validate finding\nresolutions. The FSO also performs random validation checks of resolved\nfindings to ensure that corrective actions are actually taking place. Some findings\ncan be exempt from resolution if technical or business needs require a\nnoncompliant setting. Exceptions are usually for a limited time and must be\napproved by the IAM prior to final approval by the DAA.\n\nThe Information Assurance Vulnerability Alert tracking system in the VMS\ndatabase generates management reports that are checked daily by the IAM to\nmonitor Information Assurance Vulnerability Alert compliance. Results of SA,\nIAO, and IAM mitigation and closure efforts are provided to the DAA.\n\nDITSCAP Certification and Accreditation\n\nDoD Directive 5200.40, DITSCAP, issued December 30, 1997, and\nDoD 8510.1-M, \xe2\x80\x9cDITSCAP Application Manual,\xe2\x80\x9d issued July 31, 2000,\nestablished the DITSCAP as the standard DoD certification and accreditation\nprocess. Certification is the comprehensive evaluation of the technical and non-\ntechnical security features of an information system and other safeguards made in\nsupport of the accreditation process to establish the extent to which a particular\ndesign and implementation adheres to specified security requirements.\nAccreditation is the formal declaration by a DAA that an information system is\napproved to operate in a particular security mode using a prescribed set of\nsafeguards at an acceptable level of risk. DITSCAP establishes a standard\nprocess, set of activities, general tasks, and a management structure to certify and\naccredit an information system that will maintain the IA and security posture of\nthe Defense Information Infrastructure. This process supports an infrastructure-\ncentric approach with a focus on the mission, environment, and architecture.\n\nDPAS must comply with all of the DITSCAP certification and accreditation\nrequirements throughout its life cycle and document the requirements in the\nSSAA. The SSAA is a formal agreement with the DAA(s), the Certifier, user\nrepresentative, and program manager employed to guide actions, document\ndecisions, specify IA requirements, document certification tailoring and level-of-\neffort, identify potential solutions, and maintain operational systems security.\nSSAAs were prepared for the DPAS application and the supporting operating\nenvironment.\n\nTrouble Management System Function\n\nDPAS system problems are usually identified by a DPAS user or by a monitoring\nprocess executed at the support organization. The problem is logged into the\nTrouble Management System maintained by NAVSISA. A trouble ticket number\nis assigned in the log and a technician to return the system to a fully operational\n\n                                     20\n\x0cstate is identified and recorded on the ticket. The Trouble Management System is\nmonitored by NAVSISA to ensure tickets are closed timely, and by the Software\nDirector to ensure their knowledge of the operational state of the system. The\nTrouble Management System ticket is monitored to ensure the completion of the\nproposed corrective action, as well as actions taken to return the system to full\noperational capability.\n\nData Evaluation and Quality Assurance Function\n\nThe DFAS Data Evaluation and Quality Assurance function provides recurring\nand special reports, data extracts, data analysis, and recommendations to improve\nDPAS data integrity and program efficiency. These reports are generated on a\nmonthly basis, captured electronically onto compact discs, and distributed to CCB\nrepresentatives. The Quality Assurance branch monitors data quality to measure\nimprovement over time in the areas of asset management, accountability, and\nfinancial reporting accuracy.\n\nDepartment of Defense, Office of Inspector General\n\nThe DoD OIG was established by Congress to conduct and supervise audits and\ninvestigations related to DoD programs and operations. The DoD OIG reports\ndirectly to the Secretary of Defense and is independent of DFAS and DISA.\nDPAS, as well as the property accountability processes it supports, is part of the\nDoD OIG audit universe and is subject to financial, operational, and IT audits,\nreviews, and special assessment projects.\n\n\nOffice of the Inspector General, Defense Information Systems Agency\n\nDISA has its own Office of the Inspector General, which is an independent office\nwithin DISA that conducts internal audits, inspections, and investigations. The\nDISA-related components that support DPAS are part of the DISA Office of the\nInspector General audit universe and are subject to audits, inspections, and\ninvestigations conducted by the DISA OIG.\n\nD. Risk Assessment\n\nThreats, vulnerabilities, and risks associated with DPAS operations are\ndocumented in the application and enclave SSAAs with personnel from DFAS,\nDISA, and NAVSISA participating in the risk assessments. Among the tools\nutilized for conducting risk assessments are a comprehensive evaluation of the\nMAC Controls referenced in DoD Instruction 8500.2 and applicable Phase II, III,\nand IV tasks documented in DoD 8510.1-M. The MAC controls address the areas\nof Security Design and Configuration, Identification and Authentication, Enclave\nand Computing Environment, Enclave Boundary Defense, Physical and\nEnvironmental, Personnel, Continuity and Vulnerability, and Incident\nManagement. The procedures outlined in DoD 8510.1-M cover risk in the\n\n                                     21\n\x0cfollowing major areas: System Architecture Analysis, Software, Hardware,\nFirmware Design Analysis, Network Connection Rule Compliance Analysis,\nLife-cycle Management Analysis, Vulnerability Assessment, Security Testing and\nEvaluation, Penetration Testing, System Management Analysis, and Contingency\nPlan Evaluation. The SSAA describes Residual Risk Assessments and documents\nvulnerabilities noted during DPAS tests and analyses. The SSAA also documents\nrisk mitigation strategies designed to protect information commensurate with the\nlevel of risk and magnitude of harm resulting from loss, misuse, unauthorized\naccess, or modification. The SRR processes described in the Monitoring section\nalso provide management a means to assess and track potential security risks\nassociated with the DPAS technical infrastructure.\n\nE. Information and Communication\n\nUsers can submit a change request to the DPAS CCB, which makes the final\ndetermination on the implementation of changes to the system. There is a\ndocumented system request process that considers emerging information needs of\nthe user community.\n\nOn an annual basis, each support organization independently develops a DPAS\nprogram strategy that is summarized in a support agreement known as a Service-\nLevel Proposal or Service-Level Agreement. The strategies are based on user\nneeds expressed through their CCB member, technology changes, challenges\ndiscussed during DPAS program reviews, changes in policies and procedures\nfrom the Comptroller and logistics communities, and budgetary realities input\nfrom the respective support organizations.\n\nThere are three DPAS support agreements in place that are reviewed and updated\nannually. These Service-Level Agreements detail the roles and responsibilities of\nthe various entities involved in providing support to DPAS.\n\n1. OUSD, AT&L, Arlington, VA, and the Department of the Navy, NAVSISA,\n   Mechanicsburg, PA.\n\n   As detailed in the Service-Level Agreement, NAVSISA provides OUSD,\n   AT&L the following services:\n\n\n       a.   Software Development Services\n       b.   Software Maintenance and Operating Support\n       c.   Management Reporting\n       d.   Other Support (Provides briefings to DPAS user groups and user\n            conferences as requested by the customer. Provides software and\n            scanner web-site content as required by the DPAS Web-Site Review\n            Board. Updates DPAS trainer personnel on software changes as\n            required. Provides technical support to various DPAS support\n            initiatives such as e-learning, security documentation, web-site, and\n\n                                     22\n\x0c            classroom training.)\n\n2. DISA and the OUSD, AT&L.\n\n   As detailed in the Service-Level Agreement, DISA provides OUSD, AT&L\n   the following services:\n\n       a. Server Processing\n       b. Telecommunications Services\n       c. Support Services, including technical and operational support for the\n          DPAS application, Security, System Administration, Network\n          Communications, Database Management, Operations, Customer\n          Technical Liaison, and the Web Server\n       d. Full Cost Recovery Services, including processing cycles, input and\n          output transfers, memory utilization, storage of and access to data\n          maintained on direct access storage devices, and network connectivity\n\n3. Director, Property and Equipment Policy, OUSD, AT&L, Arlington, VA, and\n   the Defense Finance Accounting Service Technology Services Organization,\n   DPAS Program Management Support Division.\n\n   As detailed in the Service-Level Agreement, DFAS Columbus provides\n   OUSD, AT&L the following services:\n\n       a. Administration\n       b. Program planning\n       c. Program management support\n       d. Customer support that includes implementations, data assurance\n          customer assistance, call center, help desk, web-site development and\n          administration\n       e. Customer training\n       f. Oversight of the software development and maintenance service\n          provided by NAVSISA, and\n       g. Oversight of systems infrastructure support operational services and\n          data processing services provided by DISA\n\n\n\nOngoing written communication between DPAS support community\norganizations and staff helps to ensure that program objectives and important\ninformation are clearly shared. Support organizations also meet to discuss\nprogram issues and project objectives including performance, areas of concern,\naccomplishments, anticipated workload changes, and project status reports.\nNAVSISA provides weekly status reports on deliverables and services via update\nof the Configuration Management Tracking System (CMTS). In-Process\nReviews are conducted on project status and open management issues. CCB\nmeetings are held biannually to communicate issues including new DPAS\n\n                                   23\n\x0creleases to the user community. The DPAS support entities participate with the\nCCB in meetings, briefings, or site visits to discuss processing and program\nissues.\n\nThe DPAS Help Desk provides customer support from 6 a.m. until 6 p.m. and an\non-call service for all other times. The Help Desk mission is to provide customers\na single place to call for their support needs. Help Desk agents are responsible for\ntracking and responding to customer requests including those that come in\nthrough the DPAS web site, email, or the Call Center. The agents track issues\nthat require system changes through the Program Trouble Report (PTR) process\nuntil they are resolved.\n\nThe DPAS program provides a public website that contains information on the\nDPAS program mission and goals, software, support, training, and guidance.\nThe support areas include customer, technical, security, training, and management\nsupport, as well as quality assurance.\n\nF. Control Activities\n\nThe DPAS control objectives and related control activities are included in Section\nIII of this report, \xe2\x80\x9cInformation Provided by the Service Auditor,\xe2\x80\x9d to eliminate the\nredundancy that would result from listing them in this section and repeating them\nin Section III. Although the control objectives and related controls are included in\nSection III, they are, nevertheless, an integral part of management\xe2\x80\x99s description of\ncontrols.\n\nG. User Control Considerations\n\nDPAS was designed with the assumption that certain controls would be\nimplemented by DPAS user organizations. This section describes additional\ncontrols that should be in operation at DPAS user organizations to complement\nthe controls maintained by DFAS, DISA, and NAVSISA. User auditors should\nconsider whether the following controls have been placed in operation at user\norganizations:\n\n\n\n\nAuthorization Controls\n\n       \xe2\x80\xa2   Property in transit in which the government has taken title is recorded\n           by the Property Custodian and has been approved by the Property\n           Book Officer (PBO).\n\n\n                                    24\n\x0c      \xe2\x80\xa2   Recorded additions and changes to the asset register and master file\n          made by the Property Custodian are compared to source documents\n          authorized by the PBO to ensure that they were input accurately.\n\n      \xe2\x80\xa2   Assets are periodically inventoried by the Hand Receipt Holder and\n          then the PBO to ensure that hand receipts match assets recorded in the\n          asset register. Reconciling items are identified and addressed by the\n          Hand Receipt Holder in a timely manner.\n\n      \xe2\x80\xa2   Authorized users of DPAS and their specific access needs are\n          approved by the PBO and the Information Systems Security Officer,\n          and directly communicated in writing by the resource owner to DISA-\n          Ogden.\n\n      \xe2\x80\xa2   Personnel responsible for asset acquisition, disposal, recording, and\n          maintenance have responsibility for only one such function and do not\n          have system access to other than their assigned function.\n\n      \xe2\x80\xa2   The Information Systems Security Officer has configured system\n          security so that only authorized users have the ability to enter, modify,\n          or otherwise alter property records.\n\nCompleteness Controls\n\n      \xe2\x80\xa2   The PBO and user\xe2\x80\x99s accounting function periodically review the asset\n          register and master file data for accuracy, ongoing pertinence, and\n          reconciliation to the corresponding general ledger accounts.\n          Reconciling items are addressed by the PBO in a timely manner.\n\n      \xe2\x80\xa2   The Property Custodian accurately records the values and physical\n          units of beginning balances, acquisitions, and property held for\n          disposal and retirement in DPAS.\n\n      \xe2\x80\xa2   Requests to change the asset register and master file data are logged\n          and reviewed by the PBO to ensure that all requested changes are\n          processed timely.\n\n      \xe2\x80\xa2   Asset-related transactions before or after the end of an accounting\n          period are scrutinized and reconciled by the user\xe2\x80\x99s accounting function\n          to ensure complete and consistent recording of transactions in the\n          appropriate accounting period.\n\n      \xe2\x80\xa2   Asset and accumulated depreciation balances are carried forward from\n          one processing cycle to the next by the user\xe2\x80\x99s accounting function,\n          using independently obtained asset acquisition, asset disposal, and\n          depreciation expense data.\n\n\n                                   25\n\x0c       \xe2\x80\xa2   Depreciation charges are reviewed by the PBO and the user\xe2\x80\x99s\n           accounting function to determine whether the charges are accurate,\n           complete, and recorded in the appropriate period.\n\n       \xe2\x80\xa2   The PBO identifies DoD property accountability policies,\n           communicates those policies to property personnel, and updates\n           standard operating procedures to reflect policy changes.\n\nAccuracy Controls\n\n       \xe2\x80\xa2   The Property Custodian accurately records the method and costs of\n           acquiring each property item or bulk property item.\n\n       \xe2\x80\xa2   Depreciation exception items are consistently identified, monitored,\n           and corrected by the PBO and the user\xe2\x80\x99s accounting function.\n\nControl Over The Integrity of Processing and Data Files\n\n       \xe2\x80\xa2   The Property Custodian accurately records property in-transit\n           information to establish and maintain accountability and control over\n           property.\n\n       \xe2\x80\xa2   Processing out-of-balance reports are reviewed promptly by the PBO\n           and the user\xe2\x80\x99s accounting function and followed up by the PBO to\n           determine the cause of the out-of-balance condition.\n\n       \xe2\x80\xa2   The PBO periodically reviews error reports that list rejected\n           transactions and corrects them within a reasonable time.\n\n       \xe2\x80\xa2   All changes to the asset register and master file are approved by the\n           PBO.\n\n       \xe2\x80\xa2   The PBO reviews audit trails of changes to property records including\n           a transaction-based history of property activity, modifications,\n           improvements, changes in value, and the data entry and approval.\n\n       \xe2\x80\xa2   Interfaced inputs are transmitted in batch files, and batch control totals\n           are used to balance sent transactions to received transactions. Out-of-\n           balance conditions are reported, corrected, and reentered.\n\nThe list of user-organization control considerations presented above does not\nrepresent a comprehensive set of all the controls that should be employed by user\norganizations. Other controls may be required at user organizations.\n\n\n\n\n                                     26\n\x0c\x0cSection III: Control Objectives, Control Activities, and Tests of\n                    Operating Effectiveness\n\n\n\n\n                               28\n\x0c\x0cIII. Control Objectives, Control Activities, and Tests of\nOperating Effectiveness\nA. Scope Limitations\n\nThe control objectives documented in this section were specified by the DoD OIG. The\ncontrol activities described in this section were specified by DISA, DFAS, and\nNAVSISA management. As described in the prior section (Section II), DPAS interfaces\nwith many systems. The controls described and tests of these controls in this section of\nthe report were limited to those computer systems, operations, and processes directly\nrelated to DPAS itself. The controls related to DPAS source and destination systems\ninterfaces were specifically excluded from this review. We did not perform procedures to\nevaluate the effectiveness of the input, processing, and output controls within interfacing\nsystems; although we did perform procedures to evaluate DPAS interface input and\noutput controls. We did not perform any procedures to evaluate the integrity and\naccuracy of the data contained in DPAS.\n\n\n\n\n                                            30\n\x0cB. Control Objectives, Control Activities, and Tests of Operating Effectiveness\n\nCO    Control Objective          Control Activity            Test Procedure                         Results of Testing\nNo.\n      Enterprise-Wide Security Program Planning\n 1    Risks are periodically      DISA-Ogden, DFAS-          DFAS-Columbus                          The DITSCAP Phase II\n      assessed.                   Columbus                   Read the latest Risk Assessment        and Phase III Summary\n                                  Risk assessments are       performed with the SSAA and            Analysis Reports for\n                                  performed as part of the   confirmed with the Branch Chief,       each task were not\n                                  DITSCAP compliance         Quality Assurance Division that        documented and\n                                  process. Automated         risks were periodically assessed.      included in the SSAA.\n                                  System Readiness                                                  However, a checklist was\n                                  Reports (SRR) scripts      Read the annual IA assessment and      completed for each Phase\n                                  are run on each server     confirmed with the ISSO that           II and Phase III task and\n                                  and reported to the        existing policies and processes were   a Risk Assessment and\n                                  Montgomery SRR             assessed annually.                     an IA assessment were\n                                  database on a weekly                                              performed. The intent of\n                                  basis. Each system has     DISA-Ogden                             the objective was\n                                  an SRR and an Internet     Observed the SRR process to            achieved.\n                                  Security Systems (ISS)     confirm that it occurred and that\n                                  scan performed before it   corrective actions were tracked.\n                                  is connected to the\n                                  network. The DISA FSO      Selected a haphazard sample of\n                                  runs periodic SRRs and     SRRs performed by DISA-Ogden\n                                  ISS scans. SRR findings    and inspected the VMS reports to\n                                  are documented and         confirm findings identified by the\n                                  tracked in the VMS.        SRR process had been addressed.\n\n\n\n\n                                                             31\n\x0cCO    Control Objective           Control Activity          Test Procedure                       Results of Testing\nNo.\n\n2     A security plan is          DFAS-Columbus             DFAS-Columbus                        No relevant exceptions\n      documented and               The DPAS security plan   Read the DPAS SSAA to confirm it     noted.\n      approved.                   is documented,            had been documented, updated and\n                                  maintained, approved,     appropriately approved.\n                                  and periodically\n                                  updated.                  Read the annual IA assessment to\n                                                            confirm that existing policies and\n                                                            processes were assessed annually.\n3     The security plan is kept   DFAS-Columbus             DFAS-Columbus                        No relevant exceptions\n      current.                    The DPAS security plan    Read the DPAS SSAA to confirm it     noted.\n                                  is documented,            had been documented, updated and\n                                  maintained, approved,     appropriately approved.\n                                  and periodically\n                                  updated.                  Read the DPAS Systems Security\n                                                            Policy, Security Requirements, and\n                                                            Certification Test and Evaluation\n                                                            Plan and Procedures to confirm\n                                                            that each had been updated.\n\n                                                            Read the annual IA assessment to\n                                                            confirm that existing policies and\n                                                            processes were assessed annually.\n\n\n4     A security management       DISA-Ogden                DISA-Ogden                           The security\n      structure has been          An IAM and Alternate      Confirmed through inquiry that a     management structure\n      established.                IAM have been assigned.   management structure had been        contained position titles\n\n\n\n                                                            32\n\x0cCO    Control Objective      Control Activity           Test Procedure                        Results of Testing\nNo.\n                             There are Information      established.                          that were not in\n                             Assurance Officers                                               accordance with DOD\n                             (IAOs) for each type of    Read the DISA-Ogden                   8500.2 requirements.\n                             operating system and       organizational chart and job          However, we confirmed\n                             TASOs assigned to each     descriptions to confirm that all      through interviews and\n                             area.                      positions were established in         inspection of the\n                                                        writing.                              organizational chart and\n                                                                                              job descriptions that a\n                                                        Read the SSAA for the security        security management\n                                                        management structure. Confirmed       structure was in place.\n                                                        each position was outlined in the     The intent of the\n                                                        SSAA.                                 objective was achieved.\n\n\n5     Information security   DISA-Ogden                 DISA-Ogden                            No relevant exceptions\n      responsibilities are   An IAM and Alternate       Read the SSAA for the security        noted.\n      clearly assigned.      IAM have been assigned.    management responsibilities.\n                             There are IAOs for each    Confirmed each position outlined in\n                             type of operating system   the SSAA was filled and the person\n                             and TASOs assigned to      understood their duty.\n                             each area.\n                                                        Read the DISA-Ogden\n                                                        organizational chart and job\n                                                        descriptions to confirm that all\n                                                        positions were established in\n                                                        writing.\n\n6     A set of rules that    DISA-Ogden                 DISA-Ogden                            No relevant exceptions\n\n\n\n                                                        33\n\x0cCO    Control Objective          Control Activity             Test Procedure                          Results of Testing\nNo.\n      describe the IA            The DPAS SSAA                Obtained the DISA-Ogden SSAA            noted.\n      operations of the DoD      describes IA                 and job descriptions. Confirmed\n      information system and     responsibilities and         that the SSAA and job descriptions\n      clearly delineate IA       expected behavior of         clearly delineated responsibilities\n      responsibilities and       personnel.                   and expected behavior.\n      expected behavior of all\n      personnel is in place.                                  Read the DISA-Ogden\n                                                              organizational chart and job\n                                                              descriptions to confirm that all\n                                                              positions were established in\n                                                              writing.\n\n7     Owners and users are       DISA-Ogden                   DISA-Ogden                              The DPAS Program\n      aware of security          Each new employee and        Read the Security Awareness             Manager, DISA- Ogden,\n      policies.                  contactor is provided        Training provided by DISA-Ogden.        did not attend the 2004\n                                 with a security briefing.    Selected a haphazard sample of          annual training.\n                                 They must also sign that     employees and read their training       However, the DPAS\n                                 they have received this      files to confirm the completion of      Program Manager did\n                                 briefing. This briefing is   the necessary security training and     not have system access to\n                                 provided annually to         a signoff.                              DPAS. As such, the\n                                 employees and                                                        DPAS Program\n                                 contractors.                 Inspected the training sign-in sheets   Manager\xe2\x80\x99s lack of\n                                                              to confirm that DISA-Ogden              training presents\n                                                              employees had attended annual           minimal risk to DPAS.\n                                                              training.\n\n8     An incident response       DISA-Ogden                   DISA-Ogden                              No relevant exceptions\n      capability has been        An incident response         Confirmed through inspection that       noted.\n\n\n\n                                                              34\n\x0cCO    Control Objective      Control Activity             Test Procedure                          Results of Testing\nNo.\n      implemented.           plan has been established the incident plan detailed in the\n                             and documented in the     SSAA had been implemented.\n                             DISA-Ogden SSAA.          Selected a haphazard sample of\n                                                       incidents to confirm that the\n                                                       incident response plan was being\n                                                       followed.\n\n9     Hiring, transfer,      DISA-Ogden                   DISA-Ogden                              The DPAS Program\n      termination, and       For security purposes, all   Read the hiring, transfer,              Manager, DISA- Ogden,\n      performance policies   newly hired personnel        termination and performance             did not attend the 2004\n      address security.      are required to have:        policies of DISA-Ogden to confirm       annual training.\n                             1. Completed National        they were documented.\n                                Agency Check                                                      However, the DPAS\n                                personal security         Inspected a haphazard sample of         Program Manager did\n                                investigations for all    System Access Authorization             not have system access to\n                                functional users          Request (SAAR) Form 2875 to             DPAS. As such, the\n                                (civilian, military,      confirm that each Form 2875             DPAS Program\n                                and contractors), as a    detailed the user\xe2\x80\x99s justification for   Manager\xe2\x80\x99s lack of\n                                minimum.                  access, security clearance level, and   training presents\n                             2. Registration of all       that each Form 2875 was properly        minimal risk to DPAS.\n                                users by Defense          approved.\n                                Enterprise\n                                Computing Center          Confirmed through inquiry that a\n                                (DECC) System             debrief is conducted when an\n                                Administrators, IAO,      employee is terminated and that a\n                                or the specific data      DISA Form 70 is used to note the\n                                owners.                   collection of DISA property.\n                             3. Specified system\n\n\n\n                                                          35\n\x0cCO    Control Objective   Control Activity             Test Procedure                          Results of Testing\nNo.\n                               and/or application      Confirmed through observation\n                               permissions that only   that an email is sent to the Security\n                               allow access to         Administrator to request that\n                               required, \xe2\x80\x98need to      system access be removed for a\n                               know\xe2\x80\x99 information.      terminated employee.\n                          4.   Unique User\n                               Identification (ID)     Selected a sample of all DPAS\n                               and password for all    related employees located at DISA-\n                               users.                  Ogden and inspected the annual\n                          5.   Specific DECC           security sign-in sheets to confirm\n                               system training.        that each employee had completed\n                          6.   Initial and refresher   the training.\n                               Information Security\n                               training.\n                          7.   DISA Form 2875 for\n                               all DECC system\n                               users.\n\n                          For transfer and\n                          termination of personnel,\n                          the following is required:\n                          1. Debriefing is\n                             conducted.\n                          2. Reminder of the non-\n                             disclosure agreement.\n                          3. DISA form 70\n                             checklist is used to\n                             ensure collection of\n\n\n\n                                                       36\n\x0cCO    Control Objective       Control Activity            Test Procedure                       Results of Testing\nNo.\n                                 DISA property.\n                              4. Signed DISA\n                                 termination\n                                 statement.\n                              5. Email is sent to\n                                 System\n                                 Administrators to\n                                 remove all system\n                                 access.\n\n10    Employees have          DISA-Ogden                  DISA-Ogden                           The System\n      adequate training and   Employees are required      Confirmed through inquiry that       Administrator-specific\n      expertise.              to complete periodic        employees had adequate training      training was outdated\n                              training for their          and expertise.                       and did not provide a\n                              respective job functions.                                        means to verify whether\n                                                          Read System Administrator            a user had successfully\n                                                          training materials to confirm that   completed the training\n                                                          they provided each System            materials. However, we\n                                                          Administrator with adequate          confirmed through\n                                                          training and expertise.              inspection of annual\n                                                                                               security training\n                                                                                               attendance sheets that\n                                                                                               DISA-Ogden employees\n                                                                                               attended annual security\n                                                                                               training. The intent of\n                                                                                               the objective was\n                                                                                               achieved.\n\n\n\n\n                                                          37\n\x0cCO    Control Objective           Control Activity             Test Procedure                        Results of Testing\nNo.\n11    A program is                DISA-Ogden                   DISA-Ogden                            The DPAS Program\n      implemented to confirm      Each new employee and        Read the Security Awareness           Manager, DISA- Ogden,\n      that upon arrival and       contactor is provided        Training provided by DISA-Ogden.      did not attend the 2004\n      periodically thereafter,    with a security briefing.                                          annual training.\n      all personnel receive       They must also sign that     Selected a haphazard sample of        However, the DPAS\n      training and                they have received this      employees and read their training     Program Manager did\n      familiarization to          briefing. This briefing is   files to confirm the completion of    not have system access to\n      perform their assigned      provided annually to         the necessary security training and   DPAS. The DPAS\n      IA responsibilities.        employees and                a signoff.                            Program Manager\xe2\x80\x99s lack\n                                  contractors.                                                       of training presents\n                                                                                                     minimal risk to DPAS.\n\n12    Management                  DISA-Ogden, DFAS-            DISA-Ogden                            The DPAS SSAA was\n      periodically assesses the   Columbus                     Interviewed the Security Officer to   approved by the DAA, on\n      appropriateness of          An IA review is              obtain an understanding of how        October 9, 2003\n      security policies and       conducted by the             DISA-Ogden management assessed        providing DPAS with an\n      compliance with them.       Security Officer that        the appropriateness of the security   ATO; however, we\n                                  comprehensively              policies and compliance with them.    determined that the\n                                  evaluates existing                                                 SSAA was not in total\n                                  policies and processes to    Read the DPAS Security                compliance with\n                                  ensure procedural            Requirements and Information          DITSCAP. Since the\n                                  consistency and to ensure    Systems Security Policy               ATO, We noted that\n                                  that they fully support      Certification Test and Evaluation     sections of the DPAS\n                                  the goal of uninterrupted    Procedures to confirm that an         SSAA had been updated\n                                  operations.                  annual IA review was conducted        in accordance to DoDI\n                                                               and that comprehensive                8500.2 DCAR-1;\n                                                               vulnerability management was in       however, all required\n                                                               place.                                DITSCAP Phase II and\n\n\n\n                                                               38\n\x0cCO    Control Objective         Control Activity         Test Procedure                         Results of Testing\nNo.\n                                                                                                III analysis had not been\n                                                         DFAS-Columbus                          properly performed and\n                                                         Read the annual IA assessment to       documented. We noted,\n                                                         confirm that existing policies and     however, that a checklist\n                                                         processes were assessed annually.      had been documented for\n                                                                                                each Phase II and Phase\n                                                         Read the DPAS SSAA to confirm          III task.\n                                                         that the latest risk assessment was\n                                                         conducted in 2003.\n\n\n\n\n13    Management ensures        DISA-Ogden               DISA-Ogden                             No relevant exceptions\n      that corrective actions   Corrective actions are   Interviewed management personnel       noted.\n      are effectively           tested after they have   to gain an understanding of how\n      implemented.              been implemented and     operating system patches, updates\n                                monitored on a           and changes were implemented.\n                                continuing basis.\n                                                         Observed the SRR process to\n                                                         confirm that corrective actions were\n                                                         implemented for identified SRR\n                                                         findings.\n\n                                                         Selected a haphazard sample of\n                                                         SRRs and inspected the VMS\n                                                         reports to confirm findings\n                                                         identified by the SRR process had\n\n\n\n                                                         39\n\x0cCO    Control Objective           Control Activity          Test Procedure                       Results of Testing\nNo.\n                                                            been addressed.\n14    A comprehensive             DISA-Ogden                DISA-Ogden                           No relevant exceptions\n      vulnerability               Software and hardware     Read the vulnerability management    noted.\n      management process          vulnerabilities are       policy to confirm that the process\n      that includes the           independently validated   included systematic identification\n      systematic identification   through inspection and    and migration of software and\n      and mitigation of           automated vulnerability   hardware vulnerabilities had been\n      software and hardware       assessment or state       documented and resolved.\n      vulnerabilities is in       management tools. VMS\n      place.                      and Information\n                                  Assurance Vulnerability\n                                  Alert are utilized to\n                                  track and maintain\n                                  system vulnerability\n                                  status.\n15    Changes to the DoD          DISA-Ogden                DISA-Ogden                           No relevant exceptions\n      information system are       SRR scripts are run on   Observed the SRR process to          noted.\n      assessed for IA and          each server and          confirm that it occurred and that\n      accreditation impact         reported to the          corrective actions were tracked.\n      prior to implementation.     Montgomery SRR\n                                   database on a weekly     Observed the system software\n                                   basis. Each system has   change control process for DISA-\n                                   an SRR and an ISS scan   Ogden and confirmed that changes\n                                   performed before it is   were properly approved before\n                                   connected to the         implementation.\n                                   network. The DISA FSO\n                                   runs periodic SRRs and   Inspected a sample of system\n                                   ISS scans. All system    changes and confirmed that\n\n\n\n                                                            40\n\x0cCO    Control Objective           Control Activity            Test Procedure                      Results of Testing\nNo.\n                                 software changes must        changed were only implemented\n                                 be reviewed and              after proper approval or not\n                                 approved prior to            implemented if not approved.\n                                 implementation.\n16    A DoD reference           DISA-Ogden                    DISA-Ogden                          No relevant exceptions\n      document constitutes the The DISA UNIX STIG,            Read the DoD Directives 8500.01,    noted.\n      primary source for        and DISA Instruction          8500.02, 8510.1-M, the DISA\n      security configuration or Information Systems           Database STIG, DISA UNIX STIG,\n      implementation guidance Security Program 630-           and DISA Instruction Information\n      for the deployment of     230-19 are the primary        Systems Security Program 630-230-\n      newly acquired IA- and    documents used to frame       19 to confirm that they constituted\n      IA-enabled IT products. the internal security           the primary source configuration or\n                                requirements of the           implementation guidance for the\n                                DPAS application.             deployment of newly acquired IA-\n                                                              and IA-enabled products.\n\n\n      Access Controls\n17    Resource classifications    DFAS-Columbus             DFAS-Columbus                         No relevant exceptions\n      and related criteria have   The MAC Level has been    Read the DPAS SSAA and                noted.\n      been established.           assigned and periodically confirmed that a MAC level had\n                                  reviewed.                 been assigned to DPAS and\n                                                            reviewed.\n18    Owners have classified      DFAS-Columbus             DFAS-Columbus                         No relevant exceptions\n      resources.                  The MAC Level has been Read the DPAS SSAA and                   noted.\n                                  assigned and periodically confirmed that a MAC level had\n                                  reviewed.                 been assigned to DPAS and\n                                                            reviewed.\n\n\n                                                              41\n\x0cCO    Control Objective          Control Activity            Test Procedure                        Results of Testing\nNo.\n19    Resource owners have       DFAS-Columbus               DFAS-Columbus                         No relevant exceptions\n      identified authorized      User access roles within    Observed documentation that           noted.\n      users and their level of   DPAS are defined            defined user roles and\n      access.                    according to job            responsibilities.\n                                 description, Modules\n                                 Accessed, Access            Observed the application to confirm\n                                 Privilege, Required         that users required a valid Login\n                                 Module, Module              and Password to gain access to the\n                                 Sensitivity, and Position   system.\n                                 Sensitivity.\n                                                             Observed that a user account was\n                                                             assigned a Security Profile that\n                                                             restricted access by module,\n                                                             program, Unit Identification Code\n                                                             (UIC), and Hand Receipt.\n\n20    Emergency and              DISA-Ogden                  DISA-Ogden                            No relevant exceptions\n      temporary access           Emergency and               Read the emergency and temporary      noted.\n      authorization is           temporary access            access policy. Selected a sample of\n      controlled.                authorizations are          emergency and temporary access\n                                 documented on standard      and confirmed that:\n                                 forms and maintained on        \xe2\x80\xa2 The authorization was\n                                 file, approved by                  approved and that access\n                                 appropriate managers,              was closed in a timely\n                                 securely communicated              manner.\n                                 to the security function,      \xe2\x80\xa2 The emergency and\n                                 and automatically                  temporary access list was\n                                 terminated after a                 periodically reviewed.\n\n\n\n                                                             42\n\x0cCO    Control Objective         Control Activity             Test Procedure                         Results of Testing\nNo.\n                                predetermined period.             \xe2\x80\xa2 Temporary access\n                                                                    authorizations were\n                                                                    established for least\n                                                                    privileged need-to-know\n                                                                    access.\n21    Owners determine          DISA-Dayton                  DISA-Dayton                            No relevant exceptions\n      disposition and sharing   The \xe2\x80\x9cDisposition of          Obtained and read the \xe2\x80\x9cDisposition     noted.\n      of data.                  Unclassified DoD             of Unclassified DoD Computer\n                                Computer Hard Drives\xe2\x80\x9d        Hard Drives\xe2\x80\x9d policy used by DISA-\n                                policy is followed for the   Dayton. Conducted inquiry of\n                                disposal of equipment        DPAS Database Administrator and\n                                containing sensitive         confirmed that the policy was being\n                                information and              used.\n                                software.\n                                                             Observed the destroyed hard drives\n                                DFAS-Columbus                located at DISA-Dayton.\n                                Security Profiles in\n                                DPAS limit the DPAS          DFAS-Columbus\n                                Modules that can be          Observed that each user account\n                                accessed by a user and       was assigned a Security Profile that\n                                the functionality            restricted access by module,\n                                provided within those        program, UIC, and Hand Receipt.\n                                DPAS Modules.\n\n22    Adequate physical         DISA-Ogden, DISA-            DISA-Ogden                          No relevant exceptions\n      security controls have    Dayton                       Observed the physical safeguards in noted.\n      been implemented.         Physical and logical         place for DISA Ogden to confirm\n                                access controls are in       safeguards had been established to\n\n\n\n                                                             43\n\x0cCO    Control Objective   Control Activity              Test Procedure                          Results of Testing\nNo.\n                          place to restrict             mitigate the risk of physical damage\n                          employees to authorized       or access.\n                          actions based on\n                          organizational and            Observed that facility penetration\n                          individual job                testing processes were in place that\n                          responsibilities.             included periodic, unannounced\n                                                        attempts to penetrate key\n                          Every physical access         computing facilities and that every\n                          point that displays           physical access point that displayed\n                          sensitive information or      sensitive information or unclassified\n                          unclassified information      information that had not been\n                          that has not been cleared     cleared for release was controlled\n                          for release is controlled     during business hours and guarded\n                          during business hours         or locked during non-business\n                          and guarded or locked         hours.\n                          during non-business\n                          hours. Current signed         DISA-Dayton\n                          procedures exist for          Confirmed through observation\n                          controlling visitor access.   that physical safeguards had been\n                                                        established at DISA-Dayton to\n                                                        mitigate the risk of physical damage\n                                                        or access.\n\n\n\n                                                        Observed that facility penetration\n                                                        testing processes were in place that\n                                                        included periodic, unannounced\n\n\n\n                                                        44\n\x0cCO    Control Objective           Control Activity           Test Procedure                          Results of Testing\nNo.\n                                                             attempts to penetrate key\n                                                             computing facilities and that every\n                                                             physical access point that displayed\n                                                             sensitive information or unclassified\n                                                             information that had not been\n                                                             cleared for release was controlled\n                                                             during business hours and guarded\n                                                             or locked during non-business\n                                                             hours.\n\n23    Physical safeguards have    DISA-Dayton                DISA-Dayton                           No relevant exceptions\n      been established that are   All packages entering      Confirmed through inspection of       noted.\n      commensurate with the       into DISA-Dayton are       penetration exercise documentation\n      risks of physical damage    inspected by entry         that facility penetration testing\n      or access.                  control for possible       processes were in place that\n                                  bombs. Panic buttons       included periodic, unannounced\n                                  notify Security in the     attempts to penetrate key\n                                  case of an emergency.      computing facilities and that every\n                                  The notified Security      physical access point that displayed\n                                  Forces immediately         sensitive information or unclassified\n                                  notify all posts and       information that had not been\n                                  patrols and furnish them   cleared for release was controlled\n                                  with all available         during business hours and guarded\n                                  information. Security      or locked during non-business\n                                  forces seal off the        hours.\n                                  immediate area of\n                                  DECC-Dayton, or\n                                  installation               Observed that the DPAS data\n\n\n\n                                                             45\n\x0cCO    Control Objective          Control Activity            Test Procedure                        Results of Testing\nNo.\n                                                             center was protected by fire\n                                 entry exit points may be    suppression and the prevention\n                                 blocked.                    devices were installed and working.\n                                                             Observed that there was a UPS and\n                                 Fire suppression and        that the cooling system was\n                                 prevention devices are      periodically maintained.\n                                 installed in the DPAS\n                                 data center.                Confirmed through observation\n                                                             that DISA Dayton contained a\n                                 Visitors must sign-in       master power switch to stop power\n                                 with the DISA-Dayton        to IT equipment was in place and\n                                 Security Attendant prior    was located at the data center\n                                 to entry into the DISA-     entrances and was clearly labeled.\n                                 Dayton facility.\n\n\n\n\n24    Visitors are controlled.   DISA-Ogden, DISA-           DISA-Ogden                            No relevant exceptions\n                                 Dayton                      Read the visitor policy and           noted.\n                                 Entry control is manned     procedure for DISA-Ogden to\n                                 during normal business      confirm they were documented.\n                                 hours, 0700-1600,           Observed the visitor check in and\n                                 Monday \xe2\x80\x93 Friday. The        check out process for DISA-Ogden.\n                                 entry control personnel\n                                 manage and maintain the     Confirmed through inquiry and\n                                 entry point, check          observation that visitor access to\n                                 badges, and issue visitor   DoD information was determined\n\n\n\n                                                             46\n\x0cCO    Control Objective         Control Activity           Test Procedure                         Results of Testing\nNo.\n                                badges.                    by both\n\n                                                           its classification and user need-to-\n                                                           know.\n\n                                                           DISA-Dayton\n                                                           Confirmed through inquiry that all\n                                                           visitors were controlled.\n\n                                                           Read the DOD OI 125-5 to confirm\n                                                           that the instruction detailed the\n                                                           procedures for obtaining access and\n                                                           detailed the security procedures for\n                                                           access to controlled areas.\n\n                                                           Read the Department of the Air\n                                                           Force\xe2\x80\x99s penetration memorandum\n                                                           to confirm that a penetration\n                                                           exercise was preformed by the SFS\n                                                           on the DISA-Dayton facility.\n25    Adequate logical access   DISA-Ogden                 DISA-Ogden                             We noted that 4 out of 45\n      controls have been        A SAAR form is              Inspected a haphazard sample of       users tested did not have\n      implemented at the        required to be completed   SAAR Form 2875 to confirm that         a System Access\n      application layer.        and authorized before a    each Form 2875 detailed the user\xe2\x80\x99s     Authorization Request\n                                user is issued access to   justification for access, security     form on file.\n                                the application layer of   clearance level, and that each Form    According to DISA-\n                                the system.                2875 was properly approved.            Ogden personnel, the\n                                                                                                  missing forms resulted\n\n\n\n                                                           47\n\x0cCO    Control Objective   Control Activity         Test Procedure                         Results of Testing\nNo.\n                          DFAS-Columbus            DFAS-Columbus                          from the transfer of\n                          Security Profiles in     Observed that each user account        responsibility for the\n                          DPAS limit the DPAS      was assigned a Security Profile that   forms from DISA-\n                          Modules that can be      restricted access by module,           Dayton to DISA-Ogden.\n                          accessed by a user and   program, UIC, and Hand Receipt.        DISA-Ogden believed\n                          the functionality                                               they were lost during the\n                          provided within those                                           physical transfer of the\n                          DPAS Modules.                                                   forms from DISA-\n                                                                                          Dayton to DISA-Ogden.\n                                                                                          The DISA-Ogden\n                                                                                          Contract Technical\n                                                                                          Requirement Analyst\n                                                                                          indicated to us that these\n                                                                                          four users were\n                                                                                          authorized to have access\n                                                                                          to the system based on\n                                                                                          daily interaction\n                                                                                          processing authorization\n                                                                                          requests. Confirmed\n                                                                                          through inquiry of the IT\n                                                                                          Specialist, User Creation\n                                                                                          Division, and observed a\n                                                                                          sample of user access\n                                                                                          forms to that DPAS user\n                                                                                          accounts and necessary\n                                                                                          documentation was on\n                                                                                          file.\n\n\n\n\n                                                   48\n\x0cCO    Control Objective           Control Activity            Test Procedure                        Results of Testing\nNo.\n26    Passwords, tokens, or       DISA-Ogden, DFAS-           DISA-Ogden                            No relevant exceptions\n      other devices are used to   Columbus                    Confirmed through inquiry that        noted.\n      identify and authenticate   Passwords are used to       passwords were used to\n      users.                      identify and authenticate   authenticate users.\n\n                                  users when accessing the    Read the Security Account Creation\n                                  DPAS application.           Guide at DISA-Ogden to confirm\n                                                              that authentication devices were in\n                                                              compliance with DoD standards.\n\n                                                              DFAS-Columbus\n                                                              Observed the DPAS application to\n                                                              confirm that users needed a valid\n                                                              User ID and Password to gain\n                                                              access to the system.\n\n                                                              Observed that accounts became\n                                                              locked after three failed login\n                                                              attempts.\n27    Access paths are            DISA- Oklahoma City         DISA-OKC                              No relevant exceptions\n      identified as part of a     (OKC)                       Confirmed through inquiry that        noted.\n      risk analysis and           Access control lists        ACLs, user management controls,\n      documented in an access     (ACL) have been             firewalls, intrusion detection\n      path diagram.               implemented for             systems (IDS), and authentications\n                                  interconnections among      were all used to control network\n                                  DoD information             access.\n                                  systems. The ACLs are\n                                  controlled by DISA-         Observed the existence of the ACLs\n\n\n\n                                                              49\n\x0cCO    Control Objective         Control Activity           Test Procedure                       Results of Testing\nNo.\n                                OKC.                       at DISA-Dayton by having a\n                                                           network administrator display the\n                                                           listing on his desktop.\n\n                                                           Obtained and read the network\n                                                           diagrams for DISA-Ogden and\n                                                           DISA-Dayton to confirm that access\n                                                           paths were documented and\n                                                           monitored by IDSs.\n28    Access is restricted to   DISA-Ogden, DISA-          DISA-Ogden, DISA-Dayton            No relevant exceptions\n      data files and software   Dayton                     For the DPAS servers, confirmed    noted.\n      programs.                 Access to data files and   through inquiry and inspection of\n                                software programs is       root access users that access\n                                limited to authorized      restrictions had been established\n                                personnel on a \xe2\x80\x9cneed-to-   around the data files and software\n                                know\xe2\x80\x9d basis.               programs.\n\n                                                           Inspected the access logs and\n                                                           corroborated with management\n                                                           that the access logs were reviewed\n                                                           for inappropriate access and that\n                                                           system libraries were managed and\n                                                           maintained to protect privileged\n                                                           programs.\n\n\n29    Access settings have been DISA-Ogden, DFAS-          DISA-Ogden                           We noted that 4 out of 45\n      implemented in            Columbus                   Inspected a haphazard sample of      users tested did not have\n\n\n\n                                                           50\n\x0cCO    Control Objective       Control Activity           Test Procedure                        Results of Testing\nNo.\n      accordance with the     Access to data files and   SAAR Form 2875 to confirm that        a System Access\n      access authorizations   software programs is       each Form 2875 detailed the user\xe2\x80\x99s    Authorization Request\n      established by the      limited to authorized      justification for access, security    form on file.\n      resource owners.        personnel on a \xe2\x80\x9cneed-to-   clearance level, and that each Form   According to DISA-\n                              know\xe2\x80\x9d basis.               2875 was properly approved.           Ogden personnel, the\n                                                                                               missing forms resulted\n                                                                                               from the transfer of\n                                                         DFAS-Columbus                         responsibility for the\n                                                         Observed the DPAS system to           forms from DISA-\n                                                         confirm that each user account was    Dayton to DISA-Ogden.\n                                                         assigned a Security Profile that      DISA-Ogden believed\n                                                         restricted access by module,          they were lost during the\n                                                         program, UIC, and Hand Receipt.       physical transfer of the\n                                                                                               forms from DISA-\n                                                                                               Dayton to DISA-Ogden.\n                                                                                               The DISA-Ogden\n                                                                                               Contract Technical\n                                                                                               Requirement Analyst\n                                                                                               indicated to us that these\n                                                                                               four users were\n                                                                                               authorized to have access\n                                                                                               to the system based on\n                                                                                               daily interaction\n                                                                                               processing authorization\n                                                                                               requests. Confirmed\n                                                                                               through inquiry of the IT\n                                                                                               Specialist, User Creation\n                                                                                               Division, and observed a\n\n\n\n                                                         51\n\x0cCO    Control Objective          Control Activity             Test Procedure                        Results of Testing\nNo.\n                                                                                                    sample of user access\n                                                                                                    forms to that DPAS user\n                                                                                                    accounts and necessary\n                                                                                                    documentation was on\n                                                                                                    file.\n30    Telecommunications         DISA-OKC                     DISA-OKC                              No relevant exceptions\n      controls are properly      The following are used to    Confirmed through inquiry that        noted.\n      implemented in             provide                      telecommunications controls were\n      accordance with            telecommunication            implemented.\n      authorizations that have   controls:\n      been granted.                  \xe2\x80\xa2 ACLs,                  Observed the existence of ACL,\n                                     \xe2\x80\xa2 IDS,                   IDS, Firewalls, Encryption, and\n                                     \xe2\x80\xa2 Firewalls,             Network monitoring controls.\n                                     \xe2\x80\xa2 Encryption, and\n                                     \xe2\x80\xa2 Network                Using an automated tool,\n                                        monitoring.           performed passive network\n                                                              monitoring of DPAS related\n                                                              network traffic over a period of 10\n                                                              days to test for unauthorized\n                                                              network connections.\n31    Procedures are in place    DISA-Dayton                  DISA-Dayton                           No relevant exceptions\n      to clear sensitive         The \xe2\x80\x9cDisposition of          Read the \xe2\x80\x9cDisposition of              noted.\n      information and            Unclassified DoD             Unclassified DoD Computer Hard\n      software from              Computer Hard Drives\xe2\x80\x9d        Drives\xe2\x80\x9d policy used by DISA-\n      computers, disks, and      policy is followed for the   Dayton.\n      other equipment or         disposal of equipment\n      media when they are        containing sensitive         We confirmed policy was being\n      disposed of or             information and              used through the DPAS Database\n\n\n\n                                                              52\n\x0cCO    Control Objective        Control Activity              Test Procedure                           Results of Testing\nNo.\n      transferred to another   software.                     Administrator.\n      use.\n                                                             Observed the destroyed hard drives\n                                                             located at DISA-Dayton.\n\n32    Audit trails are         DISA-Ogden, DISA-             DISA-Ogden, DISA-Dayton                  No relevant exceptions\n      maintained at the        Dayton                        Confirmed through inquiry that           noted.\n      application layer,       Operating System and          DISA-Ogden, DISA-Dayton, and\n      operating system, and    database audit files are      DFAS-Columbus had implemented\n      database layer.          periodically moved to an      audit trails at the application layer,\n                               audit server located at       operating system, and database\n                               Ogden. The audit files        layer. Confirmed through inquiry\n                               are then transferred to       of the Assistant ISSO that audit\n                               CD and stored on site for     trails were maintained and logs\n                               one year. After one year,     were read. Confirmed through\n                               the CDs are destroyed.        inquiry of the DPAS DBA and SA\n                                                             that DISA-Ogden personnel\n                               DFAS-Columbus                 routinely reviewed the logs.\n                               The DPAS application\n                               maintains a History           Confirmed through inquiry and\n                               Inquiry of each asset that    observation that audit logs included\n                               allows a user to view an      activities that might modify, bypass,\n                               audit trail of transactions   or negate safeguards controlled by\n                               for an asset.                 the system and the Audit trails were\n                                                             stored on CDs in the DISA-Ogden\n                                                             facility and protected against\n                                                             unauthorized access, modification,\n                                                             or deletion and were maintained for\n\n\n\n                                                             53\n\x0cCO    Control Objective         Control Activity              Test Procedure                         Results of Testing\nNo.\n                                                              1 year and then destroyed.\n\n                                                              DFAS-Columbus\n                                                              Observed that the DPAS History\n                                                              Inquiry captured transactional\n                                                              activity of asset.\n\n\n\n33    The contents of audit     DISA-Ogden, DISA-             DISA-Ogden, DISA-Dayton                No relevant exceptions\n      trails are protected      Dayton                        Read the policy and procedures for     noted.\n      against unauthorized      Only the IAM, the             protection of the audit trails and\n      access, modification or   Assistant IAM, Database       noted that policy limiting access to\n      deletion.                 Administrator and the         these audit trails was documented.\n                                HP/UX System\n                                Administrators had            Observed that only the IAM, the\n                                access to the audit trails.   Assistant IAM, Database\n                                                              Administrator and the HP/UX\n                                                              Systems Administrators had access\n                                                              to the audit trails. Attempted to\n                                                              access the audit trails using a test\n                                                              account.\n\n34    Tools are available for   DISA-Ogden, DISA-             DISA-Ogden, DISA-Dayton                DISA-Ogden did not\n      the review of audit       Dayton                        Confirmed through inquiry of           have a software tool\n      records and for report    The Hewlett Packard           DISA-Ogden personnel that a tool       available to proactively\n      generation from audit     Audit Trail tools can be      was not available to efficiently       monitor or review\n      records.                  used to review and            review audit records.                  operating system audit\n\n\n\n                                                              54\n\x0cCO    Control Objective        Control Activity          Test Procedure                         Results of Testing\nNo.\n                               report existing audit                                            trails because they did\n                               records.                                                         not have the appropriate\n                                                                                                software tool that would\n                                                                                                allow them to efficiently\n                                                                                                analyze large volumes of\n                                                                                                audit log data.\n\n35    Actual or attempted      DISA-Ogden, DISA-         DISA-Ogden, DISA-OKC                   No relevant exceptions\n      unauthorized, unusual,   OKC                       Inquired with the System               noted.\n      or sensitive network     Authorized and            Administrator to confirm that\n      access is monitored.     unauthorized network      unauthorized, unusual, or sensitive\n                               access is monitored       access was monitored.\n                               through Transmission\n                               Control Protocol (TCP)    Confirmed through inquiry and\n                               Wrapper and Klaxon or     observation that DISA currently\n                               Banshee. Host based       had network, firewall, and IDS logs.\n                               IDS (Symantec             These logs were monitored and\n                               Enterprise Security       maintained to include full audit\n                               Manager (ESM)             trails including syslogs and were\n                               and Intruder Alert) are   retained indefinitely.\n                               installed on all Unix\n                               servers.                  Confirmed through inquiry and\n                                                         observation that authorized and\n                                                         unauthorized network access\n                                                         authorizations were appropriately\n                                                         limited by user management, ACLs,\n                                                         Firewalls, authentication, and\n                                                         network monitoring.\n\n\n\n                                                         55\n\x0cCO    Control Objective          Control Activity           Test Procedure                         Results of Testing\nNo.\n\n36    Suspicious or irregular    DISA-Ogden                 DISA-Ogden                             No relevant exceptions\n      access activity is         When suspicious activity   Inquired with System                   noted.\n      investigated and           is detected, an initial    Administrator to confirm that\n      appropriate action         investigation is           suspicious or irregular access\n      taken.                     performed. If deemed an    activity was investigated and\n                                 actual event, the          appropriate actions were taken.\n                                 Continental U.S.\n                                 (CONUS) Regional           Obtained and read evidence that\n                                 Computer Emergency         the investigations and corrective\n                                 Response Team\xe2\x80\x99s            actions had taken place.\n                                 (RCERT) is notified and\n                                 action is taken as\n                                 required.\n\n\n\n37    The acquisition,           DISA-Ogden                 DISA-Ogden                             No relevant exceptions\n      development, and/or use    No mobile code is used     Inspected the DoD systems              noted.\n      of mobile code to be       on the DPAS servers.       guidelines, standards, and\n      deployed in DoD systems                               regulations concerning mobile\n      meet current guidelines,   DISA Oklahoma City         codes.\n      standards and              (DISA-OKC)\n      regulations.               All IA devices have been   Inquired with the System\n                                 approved by NSA or in      Administrator to confirm that the\n                                 accordance with NSA        acquisition, development, and use of\n                                 before acquiring and       mobile code to be deployed in DoD\n                                 implementing.              systems met current guidelines,\n\n\n\n                                                            56\n\x0cCO    Control Objective           Control Activity          Test Procedure                        Results of Testing\nNo.\n                                                            standards and regulations.\n\n                                                            DISA-OKC\n                                                            Confirmed through inquiry that\n                                                            DISA-OKC verified NSA\n                                                            evaluation or evaluation in\n                                                            accordance with NSA approval for\n                                                            all IA related products.\n\n                                                             Read the National Information\n                                                             Assurance Partnership (NIAP)\n                                                             website and confirmed that the\n                                                             website provided a list of approved\n                                                             products that included the products\n                                                             being used by DPAS.\n38    All servers, workstations   DISA-Ogden, DISA-          DISA-Ogden, DISA-Dayton              No relevant exceptions\n      and mobile computing        Dayton                     Observed that all servers,           noted.\n      devices implement virus     All servers, workstations workstations and mobile computing\n      protection that includes    and mobile computing       devices implemented virus\n      a capability for            devices implement virus protection that included a\n      automatic updates.          protection that includes a capability for automatic updates for\n                                  capability for automatic all DPAS locations.\n                                  updates.\n                                                             Obtained print screen as evidence\n                                                             that virus protection settings had\n                                                             been configured.\n\n\n\n\n                                                            57\n\x0cCO    Control Objective           Control Activity            Test Procedure                        Results of Testing\nNo.\n39    All Virtual Private         DISA-OKC                    DISA-OKC                              No relevant exceptions\n      Network (VPN) traffic is    All network traffic,        Inquired with System                  noted.\n      visible to network IDS.     including VPN traffic is    Administrators to confirm that all\n                                  visible to the RealSecure   VPN traffic was visible to network\n                                  IDS.                        IDS.\n\n                                                            Read system network diagram and\n                                                            corroborated with the SA to\n                                                            confirm that VPN traffic was\n                                                            included on the diagram.\n40    At a minimum, medium-       DISA-OKC                  DISA-OKC                                No relevant exceptions\n      robustness Commercial       All networks managed      Inquired with Key Personnel to          noted.\n      Off-the-Shelf IA and IA-    by DISA-OKC have been confirm that medium-robustness\n      enabled products are        encrypted in accordance Commercial off-the-Shelf IA and\n      used to protect sensitive   with the National         IA-enabled products were used to\n      information when the        Institute of Standard and protect sensitive information when\n      information transits        Technology (NIST)         the information transited public\n      public networks or the      cryptography standards. networks or the system handling\n      system handling the                                   the information was accessible by\n      information is accessible                             individuals who were not\n      by individuals who are                                authorized to access the\n      not authorized to access                              information on the system for each\n      the information on the                                of the DPAS locations.\n      system.\n                                                              Using an automated tool,\n                                                              performed passive network\n                                                              monitoring of DPAS related\n                                                              network traffic over a period of 10\n\n\n\n                                                              58\n\x0cCO    Control Objective           Control Activity             Test Procedure                         Results of Testing\nNo.\n                                                               days to test for unencrypted traffic\n                                                               transmitted over commercial or\n                                                               wireless networks.\n41    Unless there is an          DISA-Ogden                   DISA-Ogden                             No relevant exceptions\n      overriding technical or     Unless there is an           Confirmed through observation          noted.\n      operational problem,        overriding technical or      that workstation screen-lock\n      workstation screen-lock     operational problem,         functionality was applied. If\n      functionality is            workstation screen-lock      screen-locks were not being used,\n      associated with each        functionality is             confirmed through inquiry the\n      workstation.                associated with each         reason with the DPAS SA.\n                                  workstation. When\n                                  activated, the screen-lock\n                                  function places an\n                                  unclassified pattern onto\n                                  the entire screen of the\n                                  workstation, totally\n                                  hiding what was\n                                  previously visible on the\n                                  screen.\n\n\n\n42    Instant messaging traffic   DISA-OKC                     DISA-OKC                               No relevant exceptions\n      to and from instant         Instant messaging is         Inquired with DISA-Ogden Staff to      noted.\n      messaging clients that      prohibited at all DISA       confirm that no instant messaging\n      are independently           sites.                       was used.\n      configured by end users\n      and that interact with a                                 Using an automated tool,\n\n\n\n                                                               59\n\x0cCO    Control Objective             Control Activity           Test Procedure                        Results of Testing\nNo.\n      public service provider is                               performed passive network\n      prohibited within DoD                                    monitoring of DPAS related\n      information systems.                                     network traffic over a period of 10\n                                                               days to test for instant messaging\n                                                               traffic.\n43    For Automated                 DISA-Ogden                 DISA-Ogden                            No relevant exceptions\n      Information System            The DPAS hosting           Read the DPAS SSAA to confirm         noted.\n      applications, a list of all   enclaves are documented    the DPAS enclave and backup\n      (potential) hosting           in the DPAS SSAA.          enclave had been identified and\n      enclaves is developed                                    documented.\n      and maintained along\n      with evidence of\n      deployment planning\n      and coordination and the\n      exchange of connection\n      rules and requirements.\n44    Group authenticators for      DISA-Ogden                 DISA-Ogden                            We noted that 4 out of 45\n      application or network        A SAAR Form 2875 is        Confirmed through inquiry if group    users tested did not have\n      access may be used only       sent to Ogden to request   authenticators for application or     a System Access\n      in conjunction with an        access to DPAS. Ogden      network access were used only in      Authorization Request\n      individual authenticator.     then verifies required     conjunction with an individual        form on file.\n                                    field contents and         authenticator. Confirmed through      According to DISA-\n                                    signatures. Ogden          inquiry that if used in conjunction   Ogden personnel, the\n                                    creates User IDs and       with individual authenticators        missing forms resulted\n                                    passwords and retains      approval had been given by the        from the transfer of\n                                    the Form 2875. User        DAA.                                  responsibility for the\n                                    location\xe2\x80\x99s DPAS Security                                         forms from DISA-\n                                    Officer applies the user                                         Dayton to DISA-Ogden.\n\n\n\n                                                               60\n\x0cCO    Control Objective           Control Activity          Test Procedure                         Results of Testing\nNo.\n                                  access permissions.       Inspected a haphazard sample of        DISA-Ogden believed\n                                                            SAAR Form 2875 to confirm that         they were lost during the\n                                                            each Form 2875 detailed the user\xe2\x80\x99s     physical transfer of the\n                                  DFAS-Columbus             justification for access, security     forms from DISA-\n                                  Users must possess a      clearance level, and that each Form    Dayton to DISA-Ogden.\n                                  valid User ID and         2875 was properly approved.            The DISA-Ogden\n                                  password to gain access                                          Contract Technical\n                                  to DPAS.                  DFAS-Columbus                          Requirement Analyst\n                                                            Observed DPAS to confirm that          indicated to us that these\n                                                            users must possess a valid Login       four users were\n                                                            and Password to gain access to the     authorized to have access\n                                                            system. Observed the entering of an    to the system based on\n                                                            invalid User ID and password to        daily interaction\n                                                            confirm that the system displayed      processing authorization\n                                                            an error message to the user.          requests. Confirmed\n                                                                                                   through inquiry of the IT\n                                                                                                   Specialist, User Creation\n                                                                                                   Division, and observed a\n                                                                                                   sample of user access\n                                                                                                   forms to that DPAS user\n                                                                                                   accounts and necessary\n                                                                                                   documentation was on\n                                                                                                   file.\n\n\n\n45    To help prevent             DISA-Ogden                DISA-Ogden                             No relevant exceptions\n      inadvertent disclosure of   All contractors are       Obtained a listing of all contractor   noted.\n\n\n\n                                                            61\n\x0cCO    Control Objective         Control Activity            Test Procedure                        Results of Testing\nNo.\n      controlled information,   identified by the           and foreign national email\n      all contractors and       inclusion of the            addresses and display names for\n      foreign nationals are     abbreviation \xe2\x80\x9cctr\xe2\x80\x9d and      DISA Ogden and confirmed that\n      identified by e-mail      all foreign nationals are   their proper identifications were\n      addresses and display     identified by the           present.\n      names.                    inclusion of their two\n                                character country code.\n\n\n46    Unclassified, sensitive   DISA-OKC                    DISA-OKC                              No relevant exceptions\n      data transmitted          All networks managed        Inquired with Key Personnel to        noted.\n      through a commercial or   by DISA-OKC have been       confirm that NIST cryptography\n      wireless network are      encrypted in accordance     was used to protect information\n      encrypted using NIST-     with NIST cryptography      when the information transited\n      certified cryptography.   standards.                  public networks or the system\n                                                            handling the information was\n                                                            accessible by individuals who were\n                                                            not authorized to access the\n                                                            information on the system for each\n                                                            of the DPAS locations.\n\n                                                            Using an automated tool,\n                                                            performed passive network\n                                                            monitoring of DPAS related\n                                                            network traffic over a period of 10\n                                                            days and confirmed that no\n                                                            unencrypted traffic was transmitted\n\n\n\n\n                                                            62\n\x0cCO    Control Objective           Control Activity            Test Procedure                       Results of Testing\nNo.\n                                                              over commercial or wireless\n                                                              networks.\n47    Discretionary access        DISA-OKC                    DISA-OKC                             No relevant exceptions\n      controls are a sufficient   ACLs have been              Confirmed through inquiry that a     noted.\n      IA mechanism for            implemented for             controlled interface was used for\n      connecting DoD              interconnections among      interconnections among the DoD\n      information systems         DoD information             information systems that were\n      operating at the same       systems. The ACLs are       connected to DPAS.\n      classification, but with    controlled by DISA-\n      different need-to-know      OKC.\n      access rules.                                           Observed the existence of the ACLs\n                                                              at DISA-Dayton by having a\n                                                              network administrator display the\n                                                              listing on his desktop.\n48    Conformance testing         DISA-Ogden                  DISA-Ogden                           DISA-Ogden did not\n      that includes periodic,     An unannounced ISS          Confirmed through inquiry that       perform periodic\n      unannounced, in-depth       scan is performed           conformance testing was performed    network penetration\n      monitoring and provides     monthly. Automated          that included periodic,              testing to identify\n      for specific penetration    SRR scripts are run on      unannounced, in-depth monitoring     vulnerabilities with the\n      testing to ensure           each server and reported    and provided for specific            DPAS architecture.\n      compliance with all         to the Montgomery SRR       penetration testing to confirm\n      vulnerability mitigation    database on a weekly        compliance with all vulnerability\n      procedures is planned,      basis. Each system has      mitigation procedures was planned,\n      scheduled, and              an SRR and an ISS scan      scheduled, and conducted.\n      conducted.                  before it is connected to\n                                  the network. The DISA       Confirmed through inquiry that\n                                  Field Security Office       DISA-Ogden did not perform\n                                  runs periodic SRRs and      periodic network penetration\n\n\n\n                                                              63\n\x0cCO    Control Objective           Control Activity             Test Procedure                         Results of Testing\nNo.\n                                  ISS scans. DISA-Ogden        testing.\n                                  conducts an operation\n                                  facility environmental       Inspected ISS scans and obtained\n                                  risk assessment.             evidence that the conformance and\n                                                               penetration testing was being\n                                                               completed.\n49    All users are warned that DISA-Ogden; DISA-              DISA-Ogden; DISA-Dayton                No relevant exceptions\n      they are entering a       Dayton                         Observed that workstations display     noted.\n                                A warning banner               a DoD warning banner at logon.\n      Government information notifies a user that they\n      system.                   are entering a DoD\n                                information system when\n                                they logon.\n\n50    Information and DoD         DISA-Ogden                   DISA-Ogden                             No relevant exceptions\n      information systems that    Unless there is an           Confirmed through observation          noted.\n      store, process, transmit,   overriding technical or      that workstation screen-lock\n      or display data in any      operational problem,         functionality was applied.\n      form or format that is      workstation screen-lock\n      not approved for public     functionality is             Inquired with key personnel to\n      release comply with all     associated with each         confirm that information in transit\n      requirements in policy      workstation. When            through a network at the same\n      and guidance documents.     activated, the screen-lock   classification level was encrypted.\n                                  function places an           Using an automated tool,\n                                  unclassified pattern onto    performed passive network\n                                  the entire screen of the     monitoring of DPAS related\n                                  workstation, totally         network traffic over a period of 10\n                                  hiding what was              days to test for unencrypted traffic\n\n\n\n                                                               64\n\x0cCO    Control Objective            Control Activity            Test Procedure                         Results of Testing\nNo.\n                                   previously visible on the   transmitted over commercial or\n                                   screen.                     wireless networks.\n\n                                   Information in transit      Observed that displays and printers\n                                   through a network at the    used for classified information were\n                                   same classification level   positioned to deter unauthorized\n                                   is encrypted.               individuals from reading the\n                                                               information at all of the locations.\n                                   Work areas are behind\n                                   monitored entrances and\n                                   appropriate placement of\n                                   cubicles and\n                                   workstations is\n                                   implemented.\n\n\n51    Information in transit       DISA-Ogden                  DISA-Ogden                             No relevant exceptions\n      through a network at the     Information in transit      Inquired with key personnel to         noted.\n      same classification level,   through a network at the    confirm that information in transit\n      but which must be            same classification level   through a network at the same\n      separated for need-to-       is encrypted.               classification level was encrypted\n      know reasons, is                                         with NIST-certified cryptography.\n      encrypted, at a\n      minimum, with NIST-                                      Using an automated tool,\n      certified cryptography.                                  performed passive network\n                                                               monitoring of DPAS related\n                                                               network traffic over a period of 10\n                                                               days to test for unencrypted\n\n\n\n                                                               65\n\x0cCO    Control Objective          Control Activity          Test Procedure                         Results of Testing\nNo.\n                                                           network traffic.\n52    Connections between        DISA-Ogden                DISA-Ogden                             No relevant exceptions\n      DoD enclaves and the       Connections between       Inspected the DISA-Ogden system        noted.\n      Internet or other public   DoD enclaves and the      architecture to confirm that\n      or commercial wide area    Internet are configured   connections between DoD enclaves\n      networks require a         with a Demilitarized      and the Internet were configured\n      Demilitarized Zone.        Zone.                     with a Demilitarized Zone.\n\n53    Boundary defense           DISA-OKC, DISA-           DISA-OKC, DISA-Dayton                  No relevant exceptions\n      mechanisms to include      Dayton                    Inspected the DISA-OKC system          noted.\n      firewalls and network      DISA-Ogden and DISA-      architecture to confirm that\n      IDS                        Dayton have boundary      boundary defense mechanisms to\n                                 defense mechanisms in     include firewalls and network IDS\n       are deployed at the       place that include        were deployed at the enclave\n      enclave boundary.          firewalls and IDSs.       boundary.\n\n                                                           Read system network diagram and\n                                                           corroborated with the System\n                                                           Administrator to confirm that\n                                                           defense mechanisms were\n                                                           employed.\n\n                                                           Observed the existence of firewalls\n                                                           and IDSs.\n\n54    Devices that display or    DISA-Ogden                DISA-Ogden                             No relevant exceptions\n      output classified or       Work areas are behind     Observed that displays and printers    noted.\n      sensitive information in   monitored entrances and   were used for classified information\n\n\n\n                                                           66\n\x0cCO    Control Objective          Control Activity           Test Procedure                          Results of Testing\nNo.\n      human-readable form        appropriate placement of   and confirmed that these items\n      are positioned to deter    cubicles and               were positioned to deter\n      unauthorized individuals   workstations is            unauthorized individuals from\n      from reading the           implemented.               reading the information at all of the\n      information.                                          locations.\n\n\n\n55    Individuals requiring      DISA-Ogden                 DISA-Ogden                              We noted that 4 out of 45\n      access to sensitive        A Form 2875 is required    Read the policies and procedures        users tested did not have\n      information are            to be completed by         for gaining access to sensitive         a System Access\n      processed for access       anyone requesting access   information.                            Authorization Request\n      authorization in           to DPAS. The form must                                             form on file.\n      accordance with DoD        be completed correctly     Inspected a haphazard sample of         According to DISA-\n      personnel security         and                        SAAR Form 2875s to confirm that         Ogden personnel, these\n      policies.                                             each Form 2875 detailed the user\xe2\x80\x99s      missing forms resulted\n                                 have all the required      justification for access, security      from the transfer of\n                                 signatures.                clearance level, and that each Form     responsibility for the\n                                                            2875 was properly approved.             forms from DISA-\n                                                                                                    Dayton to DISA-Ogden.\n                                                                                                    DISA-Ogden believed\n                                                                                                    they were lost during the\n                                                                                                    physical transfer of the\n                                                                                                    forms from DISA-\n                                                                                                    Dayton to DISA-Ogden.\n                                                                                                    The DISA-Ogden\n                                                                                                    Contract Technical\n                                                                                                    Requirement Analyst\n\n\n\n                                                            67\n\x0cCO    Control Objective        Control Activity           Test Procedure                         Results of Testing\nNo.\n                                                                                                 indicated to us that these\n                                                                                                 four users were\n                                                                                                 authorized to have access\n                                                                                                 to the system based on\n                                                                                                 daily interaction\n                                                                                                 processing authorization\n                                                                                                 requests. Confirmed\n                                                                                                 through inquiry of the IT\n                                                                                                 Specialist, User Creation\n                                                                                                 Division, and observed a\n                                                                                                 sample of user access\n                                                                                                 forms to that DPAS user\n                                                                                                 accounts and necessary\n                                                                                                 documentation was on\n                                                                                                 file.\n\n56    DoD information          DISA-Dayton                DISA-Dayton                          No relevant exceptions\n      systems comply with      All port, protocols, and   Confirmed through the                noted.\n      DoD ports, protocols,    services used by DPAS      performance of network monitoring\n      and services guidance.   are in compliance with     that DoD information systems\n                               DoD standards              complied with DoD ports, protocols,\n                               documented in the Unix     and services guidance, including all\n                               STIG.                      ports, protocols, and services\n                                                          whether currently active or planned\n                                                          for use.\n\n                                                          Confirmed that all ports, protocols,\n                                                          and services were identified and\n\n\n\n                                                          68\n\x0cCO    Control Objective         Control Activity            Test Procedure                        Results of Testing\nNo.\n                                                            registered.\n\n                                                            Read the documentation of DPAS\n                                                            being successfully STIGed.\n57    Binary or machine         DISA-Ogden                  DISA-Ogden                            No relevant exceptions\n      executable public         DPAS does not have          Read a listing of software products   noted.\n      domain software           binary or machine           used at DISA-Ogden to confirm\n      products and other        executable public           DPAS did not have binary or\n      software products with    domain software             machine executable public domain\n      limited or no warranty    installed.                  software installed.\n      are not used in DoD\n      information systems.\n                                                            Read software inventory listing and\n                                                            conducted inquiry with the\n                                                            Program Manager for\n                                                            Configuration Management to\n                                                            confirm that binary or machine\n                                                            executable public domain software\n                                                            products and other software\n                                                            products with limited or no\n                                                            warranty were not installed on\n                                                            DPAS.\n      Application Software Development and Change Control\n58    A system development       NAVSISA                    NAVSISA                              No relevant exceptions\n      life cycle methodology     A Change Management        Read the Change Management Plan noted.\n      (SDLC) has been            Plan has been              to confirm that it had been updated.\n      implemented and            implemented,\n      documented.                documented, and\n\n\n\n                                                            69\n\x0cCO    Control Objective        Control Activity            Test Procedure                        Results of Testing\nNo.\n                               updated. NAVSISA\n                               follows a documented\n                               Software Configuration\n                               Management Plan for all\n                               system maintenance\n                               activity.\n59    Authorizations for       NAVSISA                     NAVSISA                               No relevant exceptions\n      software modifications   Using the DPAS              Selected the full population of 48    noted.\n      are documented and       Software Configuration      code and database modifications\n      maintained.              Management Plan as the      that occurred during the seven\n                               overarching guidance, all   month period under review\n                               System Change Requests      (September 2004 to March 2005)\n                               (SCRs) are approved by      from the DPAS production code\n                               the DPAS Program            library (UNIX directory) and\n                               Manager. Specific           traced each modification to an\n                               changes that are to occur   approved SCR or PTR and\n                               as a result of SCRs are     confirmed through inspection that\n                               documented in the           it had been authorized by the\n                               System Subsystem            Program Manager or Software\n                               Specification that is       Director and traced each SCR or\n                               developed by NAVSISA        PTR identified above to the Release\n                               and provided to the         Authorization Report to confirm\n                               Software Director for       that the CIs had been approved by\n                               approval. Changes           the Software Director.\n                               relating to PTRs are also\n                               approved by the             Inquired of key NAVSISA\n                               Software Director.          personnel and DPAS users to\n                               Configured Items (CIs)      confirm the results of the testing\n\n\n\n                                                           70\n\x0cCO    Control Objective          Control Activity            Test Procedure                      Results of Testing\nNo.\n                                 related to SCRs and         above.\n                                 PTRs that are identified\n                                 for a release are tracked\n                                 at NAVSISA using\n                                 CMTS. CMTS provides\n                                 visibility at the\n                                 individual CI level as to\n                                 specific changes that are\n                                 being prepared for any\n                                 given release. Prior to a\n                                 release, a Release\n                                 Authorization Report is\n                                 prepared that identifies\n                                 the CIs that are\n                                 contained in the release.\n                                 The DPAS Software\n                                 Director and a\n                                 representative of\n                                 NAVSISA sign this\n                                 report attesting to the\n                                 CIs that are to be\n                                 released to production.\n\n60    Use of public domain       DFAS-Columbus               DFAS-Columbus                       No relevant exceptions\n      and personal software is   Public domain and           Read DPAS SSAA to confirm that      noted.\n      restricted.                personal software must      personal software was restricted.\n                                 be approved for use.\n                                                             Read inventory listing to confirm\n\n\n\n                                                             71\n\x0cCO    Control Objective          Control Activity              Test Procedure                       Results of Testing\nNo.\n                                                               that binary or machine executable\n                                                               public domain software products\n                                                               and other software products with\n                                                               limited or no warranty were not\n                                                               installed on DPAS.\n\n61    Changes are controlled     NAVSISA                       NAVSISA                              No relevant exceptions\n      as programs progress       Test plan standards have      Using the same sample selected for   noted.\n      through testing to final   been developed for all        control objective 59, confirmed that\n      approval.                  levels of testing that        the change followed the appropriate\n                                 define responsibilities for   test and migration process by\n                                 each party including          inspecting the following for\n                                 users, system analysts,       completeness and authorization:\n                                 programmers, auditors,              o System Test Plan;\n                                 quality assurance, and              o Detailed system\n                                 library control.                       specifications; and\n                                                                     o Unit, System and\n                                 Detailed system                        Acceptance testing results.\n                                 specifications are\n                                 prepared by the               Inquired of key NAVSISA\n                                 programmer and                personnel and DPAS users to\n                                 reviewed by a                 confirm the results of the testing\n                                 programming                   above.\n                                 supervisor.\n\n\n                                 Software changes are\n                                 documented so that they\n\n\n\n                                                               72\n\x0cCO    Control Objective   Control Activity              Test Procedure   Results of Testing\nNo.\n                          can be traced from\n                          authorization to the final\n                          approved code and they\n                          facilitate \xe2\x80\x9ctrace-back\xe2\x80\x9d of\n                          code to design\n                          specifications and\n                          functional requirements\n                          by system testers.\n\n                          Unit, integration, and\n                          system testing are\n                          performed and approved\n                          1) in accordance with the\n                          test plan and, 2) applying\n                          a sufficient range of valid\n                          and invalid conditions.\n\n                          A comprehensive set of\n                          test transactions and\n                          data is developed that\n                          represents the various\n                          activities and conditions\n                          that will be encountered\n                          in processing.\n\n\n                          Live data are not used in\n                          the testing of program\n\n\n\n                                                        73\n\x0cCO    Control Objective        Control Activity            Test Procedure                       Results of Testing\nNo.\n                               changes except to build\n                               test data files.\n\n                               Test results are reviewed\n                               and documented.\n\n                               Program changes are\n                               moved into production\n                               only upon documented\n                               approval from users and\n                               system development\n                               management.\n\n                               Documentation is\n                               updated for software,\n                               hardware, operating\n                               personnel, and system\n                               users when a new or\n                               modified system is\n                               implemented.\n\n\n62    Emergency changes are    NAVSISA                     NAVSISA                              No relevant exceptions\n      promptly tested and      Using the DPAS              Selected the full population of 48   noted.\n      approved before being    Software Configuration      code and database modifications\n      moved into production.   Management Plan as the      that occurred during the seven\n                               overarching guidance, all   month period under review\n                               SCRs are approved by        (September 2004 to March 2005)\n\n\n\n                                                           74\n\x0cCO    Control Objective   Control Activity            Test Procedure                        Results of Testing\nNo.\n                          the DPAS Program            from the DPAS production code\n                          Manager. Specific           library (UNIX directory) and\n                          changes that are to occur   traced each modification to an\n                          as a result of SCRs are     approved SCR or PTR and\n                          documented in the           confirmed through inspection that\n                          System Subsystem            it had been authorized by the\n                          Specification that is       Program Manager or Software\n                          developed by NAVSISA        Director and traced each SCR or\n                          and provided to the         PTR identified above to the Release\n                          Software Director for       Authorization Report to confirm\n                          approval. Changes           that the CIs had been approved by\n                          relating to PTRs are also   the Software Director.\n                          approved by the\n                          Software Director. CIs      Inquired of key NAVSISA\n                          related to SCRs and         personnel and DPAS users to\n                          PTRs that are identified    confirm the results of the testing\n                          for a release are tracked   above.\n                          at NAVSISA using the\n                          CMTS. CMTS provides         Using the same sample selected\n                          visibility at the           above, confirmed that the change\n                          individual CI level as to   followed the appropriate test and\n                          specific changes that are   migration process by inspecting the\n                          being prepared for any      following for completeness and\n                          given release. Prior to     authorization:\n                          release, a Release                o System Test Plan (STP);\n                          Authorization Report is           o Detailed system\n                          prepared that identifies            specifications; and\n                          the CIs that are                  o Unit, System and\n\n\n\n                                                      75\n\x0cCO    Control Objective   Control Activity              Test Procedure                        Results of Testing\nNo.\n                          contained in the release.             Acceptance testing results.\n                          The DPAS Software\n                          Director and a\n                          representative of             Inquired of key NAVSISA\n                          NAVSISA signs this            personnel and DPAS users to\n                          report attesting to the       confirm the results of the testing\n                          CIs that are to be            above.\n                          released to production.\n\n\n                          Test plan standards have\n                          been developed for all\n                          levels of testing that\n                          define responsibilities for\n                          each party including\n                          users, system analysts,\n                          programmers, auditors,\n                          quality assurance, and\n                          library control.\n\n                          Detailed system\n                          specifications are\n                          prepared by the\n                          programmer and\n                          reviewed by a\n                          programming\n                          supervisor.\n\n\n\n\n                                                        76\n\x0cCO    Control Objective   Control Activity              Test Procedure   Results of Testing\nNo.\n                          Software changes are\n                          documented so that they\n                          can be traced from\n                          authorization to the final\n                          approved code and they\n                          facilitate \xe2\x80\x9ctrace-back\xe2\x80\x9d of\n                          code to design\n                          specifications and\n                          functional requirements\n                          by system testers.\n\n\n                          Unit, integration, and\n                          system testing are\n                          performed and approved\n                          1) in accordance with the\n                          test plan and, 2) applying\n                          a sufficient range of valid\n                          and invalid conditions.\n\n                          A comprehensive set of\n                          test transactions and\n                          data is developed that\n                          represents the various\n                          activities and conditions\n                          that will be encountered\n                          in processing.\n\n\n\n\n                                                        77\n\x0cCO    Control Objective        Control Activity              Test Procedure                       Results of Testing\nNo.\n                               Live data are not used in\n                               testing of program\n                               changes except to build\n                               test data files.\n\n                               Test results are reviewed\n                               and documented.\n\n                               Program changes are\n                               moved into production\n                               only on documented\n                               approval from users and\n                               system development\n                               management.\n\n                               Documentation is\n                               updated for software,\n                               hardware, operating\n                               personnel, and system\n                               users when a new or\n                               modified system is\n                               implemented.\n63    Distribution and         NAVSISA                       NAVSISA                              No relevant exceptions\n      implementation of new    A Release Authorization       Using the same sample selected for   noted.\n      or revised software is   Report is prepared that       control objective 59, confirmed that\n      controlled.              identifies the CIs that are   the change followed the appropriate\n                               contained in the release      distribution process by inspecting\n                                                             the Release Authorization Report\n\n\n\n                                                             78\n\x0cCO    Control Objective            Control Activity           Test Procedure                         Results of Testing\nNo.\n                                   and approves the release   for completeness and authorization.\n                                   for distribution.\n                                                              Inquired of key NAVSISA\n                                                              personnel and DPAS users to\n                                                              confirm the results of the testing\n                                                              above.\n64    Programs are labeled         NAVSISA                    NAVSISA                                No relevant exceptions\n      and inventoried.             Major release CIs for      Using the same sample selected for     noted.\n                                   CCB approved SCR\xe2\x80\x99s         control objective 59, confirmed that\n                                   are entered into CMTS      the CI that was changed had been\n                                   using the impact cost      approved, labeled, assigned an ID,\n                                   analysis forms for each    and inventoried in CMTS.\n                                   SCR. All additions,\n                                   changes, or deletions to   Inquired of key NAVSISA\n                                   the production baseline    personnel and DPAS users to\n                                   SCR are submitted to the   confirm the results of the testing\n                                   Change Management for      above.\n                                   approval. All CIs are\n                                   assigned identification\n                                   numbers.\n65    Access to program            NAVSISA                    NAVSISA                                No relevant exceptions\n      libraries is restricted to   Authorized individuals     Observed the DPAS Librarian to         noted.\n      appropriate personnel.       are restricted to only     demonstrate how the development\n                                   specifically assigned      and production libraries were\n                                   libraries by the DPAS      controlled.\n                                   Librarian.\n                                                              Inspected the ACLs for the\n                                                              Production and Development\n\n\n\n                                                              79\n\x0cCO    Control Objective           Control Activity           Test Procedure                          Results of Testing\nNo.\n                                                             libraries (directories) to confirm\n                                                             that only authorized personnel had\n                                                             access.\n\n                                                             Observed a system developer\n                                                             attempt to update the production\n                                                             library to confirm that access to the\n                                                             production library was restricted.\n\n                                                             Inquired of key NAVSISA\n                                                             personnel and DPAS users to\n                                                             confirm the results of the testing\n                                                             above.\n\n66    Acquisition or              NAVSISA                    NAVSISA                                 No relevant exceptions\n      outsourcing of IT           The contract agreement     Inspected the General Dynamics          noted.\n      services explicitly         (GS-07T-00-BGD-0063)       contract agreement to confirm if it\n      addresses Government,       and Statement of Work      expressly addressed Government,\n      service provider, and end   with General Dynamics,     service provider and end-user IA\n      user IA roles and           who performs code          roles and responsibilities.\n      responsibilities.           development services for\n                                  NAVSISA in support of      Inquired of key NAVSISA\n                                  DPAS, expressly            personnel and DPAS users to\n                                  addresses task, required   confirm the results of the testing\n                                  skill sets, security       above.\n                                  investigations and\n                                  nondisclosure\n                                  agreements for the\n\n\n\n                                                             80\n\x0cCO    Control Objective            Control Activity           Test Procedure                       Results of Testing\nNo.\n                                   support of DPAS\n                                   services.\n67    The acquisition of all IA-   DISA-OKC                   DISA-OKC                             No relevant exceptions\n      and IA-enabled GOTS          All IA devices have been   Confirmed through inquiry that       noted.\n      IT products is limited to    approved by NSA or in      DISA-OKC verified that all IA\n      products that have been      accordance with NSA        related products were approved by\n      evaluated by the NSA or      approval processes         NSA or in\n      in accordance with NSA-      before acquiring and\n      approved processes.          implementing.              accordance with NSA approved\n                                                              processes.\n\n                                                           Inspected the NIAP website and\n                                                           confirmed that the website provided\n                                                           a list of approved products\n                                                           including the products used by\n                                                           DPAS.\n68    Movement of programs     NAVSISA                     NAVSISA                              No relevant exceptions\n      and data among libraries A Release Authorization Using the same sample selected for       noted.\n      is controlled.           Report is prepared that     control objective 59, confirmed that\n                               identifies the CIs that are the changes selected for testing\n                               contained in the release    followed the appropriate\n                               and approves the release distribution process by inspecting\n                               for distribution.           the Release Authorization Report\n                                                           for completeness and authorization.\n\n                                                              Inquired of key NAVSISA\n                                                              personnel and DPAS users to\n                                                              confirm the results of the testing\n\n\n\n                                                              81\n\x0cCO    Control Objective            Control Activity            Test Procedure                           Results of Testing\nNo.\n                                                               above.\n69    Software quality             DFAS-Columbus               DFAS-Columbus                            No relevant exceptions\n      requirements and             The DPAS Security           Inquired of DPAS Security                noted.\n      validation methods that      Specialist at DFAS-         Specialist at DFAS-Columbus as to\n      are focused on the           Columbus receives           his roles and responsibilities for the\n      minimization of flawed       DPAS Release Notes          release of security-related changes\n      or malformed software        from NAVSISA-               included in DPAS Releases.\n      that can negatively          Mechanicsburg. The\n      impact integrity or          DPAS Security Specialist    Observed release notes for all\n      availability, such as        then reviews the DPAS       major DPAS production releases\n      buffer overruns, are         Release Notes for           that occurred during the audit\n      specified for all software   changes related to          period at NAVSISA-\n      development initiatives.     security. The Testing       Mechanicsburg.\n                                   Director at NAVSISA-\n                                   Mechanicsburg develops      NAVSISA\n                                   test plans for testing      Using the same sample selected for\n                                   security-related changes.   control objective 59, confirmed that\n                                   The DPAS Security           the change followed the appropriate\n                                   Specialist then reviews     test and migration process by\n                                   these test plans and        inspecting the following for\n                                   assists in the testing of   completeness and authorization:\n                                   security-related changes          o System Test Plan;\n                                   included in the DPAS              o Detailed system\n                                   Release.                             specifications; and\n                                                                     o Unit, System and\n                                   NAVSISA                              Acceptance testing results.\n                                   Test plan standards have\n                                   been developed for all      Inquired of key NAVSISA\n\n\n\n                                                               82\n\x0cCO    Control Objective          Control Activity            Test Procedure                          Results of Testing\nNo.\n                                 levels of testing that      personnel and DPAS users to\n                                 define responsibilities for confirm the results of the testing\n                                 each party (e.g., users,    above.\n                                 system analysts,\n                                 programmers, auditors,\n                                 quality assurance, and\n                                 library control).\n\n      System Software Controls\n70    Access authorizations      DISA-OKC,                   DISA-OKC                                No relevant exceptions\n      are appropriately          DISA-Ogden                  Read the policies and procedures        noted.\n      limited.                   ACLs, user management       for restricting access to the systems\n                                 controls, firewalls, IDS,   software to confirm that they were\n                                 and authentications are     up-to-date.\n                                 used to control network\n                                 access.                     DISA-Ogden\n                                                             Obtained a list from the\n                                 Users must have the         Discretionary Access Control of all\n                                 same level of access of     individuals who had direct access to\n                                 the system they are         the system software and selected a\n                                 trying to access, have an   haphazard sample of Ogden users\n                                 established username        with direct access. For each user\n                                 and password, and be        selected, confirmed with key\n                                 allowed through the         management personnel that these\n                                 router and firewall.        users were authorized to have this\n                                                             access.\n\n\n\n\n                                                             83\n\x0cCO    Control Objective          Control Activity            Test Procedure                       Results of Testing\nNo.\n71    All access paths have      DISA-OKC                    DISA-OKC                             No relevant exceptions\n      been identified and        The following are used to   Through observation and inquiry,     noted.\n      controls implemented to    provide                     confirmed that telecommunications\n      prevent or detect access   telecommunication           controls were properly\n      for all paths.             controls:                   implemented.\n                                     \xe2\x80\xa2 ACLs\n                                     \xe2\x80\xa2 IDS                   Obtained policy and procedures\n                                     \xe2\x80\xa2 Firewalls             relating to DoD information\n                                     \xe2\x80\xa2 Encryption, and       systems access controls to confirm\n                                     \xe2\x80\xa2 Network               they existed.\n                                        monitoring.\n                                                             Through observation and inquiry,\n                                                             confirmed that a controlled\n                                 ACLs have been              interface was used for\n                                 implemented for             interconnections among the DoD\n                                 interconnections among      information systems that were\n                                 DoD information             connected to DPAS.\n                                 systems. The ACLs are\n                                 controlled by DISA-         Observed the existence of ACL,\n                                 OKC.                        IDS, Firewalls, Encryption, and\n                                                             Network monitoring.\n\n                                                             Reviewed output on computer\n                                                             monitor and conducted inquiry of\n                                                             IT Specialist.\n\n72    Policies and techniques    DISA-Ogden                  DISA-Ogden                           Standard Operating\n      have been implemented      The system utilities that   Inquired with key Ogden personnel    Procedures and DISA-\n\n\n\n                                                             84\n\x0cCO    Control Objective          Control Activity             Test Procedure                         Results of Testing\nNo.\n      for using and monitoring   support DPAS are             to confirm how root access was         Ogden SSAA were not\n      the use of system          limited to root access       administered. Obtained the list of     updated to reflect\n      utilities.                 only.                        individuals with root access and       current processes and\n                                                              conferred with Management that         procedures.\n                                 Policies and procedures      access was appropriate and that the\n                                 for using and monitoring     use of accounts with root access was   In addition, DISA-Ogden\n                                 the use of system            logged.                                did not proactively\n                                 software utilities exist                                            monitor or review audit\n                                 and are up-to-date.          Read the policies and procedures       trails since it did not\n                                                              for the monitoring of systems          have the tools to perform\n                                 Responsibilities for using   software to confirm that they          such monitoring.\n                                 sensitive system utilities   existed and were current.\n                                 have been clearly defined                                           During our fieldwork, we\n                                 and are understood by      Read a sample of the audit logs          noted that standard\n                                 systems programmers.       from the DPAS servers to confirm         operating procedures\n                                                            that key Ogden personnel reviewed        had\n                                 Responsibilities for       the logs on a regular basis and that\n                                 monitoring use are         any issues noted were documented         been subsequently\n                                 defined and understood     and researched.                          documented.\n                                 by technical\n                                 management.\n\n                                 The use of sensitive\n                                 system utilities is logged\n                                 using access control\n                                 software reports or job\n                                 accounting data.\n73    System software changes    DISA-Dayton                  DISA-Dayton                            No relevant exceptions\n\n\n\n                                                              85\n\x0cCO    Control Objective         Control Activity            Test Procedure                         Results of Testing\nNo.\n      are authorized, tested,   DPAS system software        Obtained and read the change           noted.\n      and approved before       patches and upgrades        management policies and\n      implementation.           are applied in              procedures for systems software to\n                                accordance with             confirm that they existed and were\n                                Information Assurance       current.\n                                Vulnerability Alert\n                                bulletins or DISA-Ogden     Obtained a list of all system\n                                policy unless otherwise     software purchases and\n                                noted in the Service-       modifications from September 1,\n                                Level Agreement (SLA).      2004 through April 30, 2005 and\n                                                            tested the full population of\n                                Current policies and        modifications. For each\n                                procedures exist for        modification, obtained the change\n                                identifying, selecting,     request document for each\n                                installing, and modifying   modification and confirmed that\n                                system software.            each modification was approved by\n                                                            key Ogden personnel prior to\n                                                            implementation and that each\n                                New system software         modification was tested and the test\n                                versions or products and\n                                modifications to existing   results were approved prior to the\n                                system software receive     modification being implemented.\n                                proper authorization and\n                                are supported by a          Obtained a list of all emergency\n                                change request              changes implemented from\n                                document.                   September 1, 2004 through April\n                                                            30, 2005 and confirmed through\n                                New system software         inspection that these changes\n\n\n\n                                                            86\n\x0cCO    Control Objective        Control Activity              Test Procedure                      Results of Testing\nNo.\n                               versions or products and      followed a change management\n                               modifications to existing     process and were tested and\n                               system software are           approved prior to implementation.\n                               tested and the test results\n                               are approved before\n                               implementation.\n                               All emergency changes\n                               follow the change\n                               management process and\n                               must be approved prior\n                               to implementation.\n74    Installation of system   DISA-Ogden                    DISA-Ogden                       DISA-Ogden did not\n      software is documented   DPAS system software          Confirmed through inquiry that   have a software tool\n      and reviewed.            and patch installations       changes to the HP/UX servers wereavailable to proactively\n                               are tracked through           managed and logged in the CMS.   monitor or review\n                               HP/UX software utilities.                                      operating system audit\n                                                          Using the sample of system software trails because they did\n                               Installation of system     modification/implementations        not have the appropriate\n                               software is scheduled to   selected for control objective 73,  tool that would allow\n                               minimize the impact on     confirmed that users were notified  them to efficiently\n                               data processing and        of the modification prior to        analyze large volumes of\n                               advance notice is given to implementation.                     audit log data to identify\n                               system users.                                                  potential high risk and\n                                                          Obtained the system software audit unusual system activity.\n                               Migration of tested and    logs that showed each change\n                               approved system            selected above being implemented.\n                               software to production is Confirmed with key Ogden\n                               performed by an            personnel that the logs were\n\n\n\n                                                             87\n\x0cCO    Control Objective           Control Activity             Test Procedure                        Results of Testing\nNo.\n                                  independent source.          reviewed.\n\n                                  Installation of all system   Obtained the list of personnel with\n                                  software is logged to        access to migrate system software\n                                  establish an audit trail     modifications from the test\n                                  and reviewed by              environment to the production\n                                  management.                  environment and confirmed with\n                                  All system software is       Management that an appropriate\n                                  current and has current      individual migrated each of the\n                                  and complete                 selected modifications.\n                                  documentation.\n                                                               Observed the presence of HP/UX\n                                                               software utilities on the DPAS\n                                                               servers.\n\n                                                               Read the Executive Software\n                                                               Inventory for DPAS to confirm that\n                                                               it was current.\n\n\n75    Good engineering            DISA-OKC                     DISA-OKC                              No relevant exceptions\n      practices with regards to   Integrity mechanisms         Confirmed through inquiry that a      noted.\n      the integrity mechanisms    are used for                 controlled interface was used for\n      of Commercial off-the-      interconnections among       interconnections among the DoD\n      Shelf, GOTS and custom      the DoD information          information systems that were\n      developed solutions are     systems connecting to        connected to DPAS.\n      implemented for             DPAS for incoming and\n      incoming and outgoing       outgoing files.              Observed the existence of ACL,\n\n\n\n                                                               88\n\x0cCO    Control Objective          Control Activity        Test Procedure                         Results of Testing\nNo.\n      files.                                             IDS, Firewalls, Encryption, and\n                                                         Network monitoring.\n\n\n                                                         DISA-Dayton\n                                                         Using an automated tool,\n                                                         performed passive network\n                                                         monitoring of DPAS related\n                                                         network traffic over a period of 10\n                                                         days to confirm that no\n                                                         unencrypted traffic was transmitted\n                                                         over commercial or wireless\n                                                         networks.\n\n                                                         Confirmed through corroborative\n                                                         inquiry that interfaced inputs were\n                                                         automatically validated by the\n                                                         system for missing information,\n                                                         format, consistency and\n                                                         reasonableness.\n\n\n                                                         Observed system batch files of\n                                                         interfaced inputs for control totals\n                                                         and line counts.\n      Segregation of Duties\n76    Incompatible duties have   DISA-Ogden              DISA-Ogden                             No relevant exceptions\n      been identified and        System Administrator,   Read the DISA-Ogden                    noted.\n\n\n\n                                                         89\n\x0cCO    Control Objective          Control Activity            Test Procedure                          Results of Testing\nNo.\n      policies implemented to    System Security, IAO        organizational chart and read the\n      segregate these duties.    and                         job descriptions for the positions at\n                                                             DISA-Ogden in relation to DPAS to\n                                 IAM duties are all          confirm that there was an\n                                 separated at SMC            appropriate segregation of duties\n                                 Ogden.                      and that incompatible duties did\n                                                             not exist.\n\n77    System management job      DISA-Ogden                  DISA-Ogden                              No relevant exceptions\n      descriptions have been     Job descriptions of key     Read the job descriptions for key       noted.\n      documented.                DPAS system support         system support personnel at DISA-\n                                 personnel are               Ogden to confirm they existed.\n                                 documented.\n78    System management          DISA-Ogden                  DISA-Ogden                              No relevant exceptions\n      employees understand       DISA-Ogden employees        Selected a sample of employees and      noted.\n      their duties and           understand their duties     confirmed through inquiry that\n      responsibilities.          and responsibilities in     they understood their duties and\n                                 accordance with DISA        responsibilities. Observed\n                                 policies and procedures.    documentation to confirm that\n                                                             employees had signed position\n                                                             descriptions.\n79    Management reviews         DFAS-Columbus               DFAS-Columbus                           No relevant exceptions\n      effectiveness of control   Management                  Read the DPAS Systems Security          noted.\n      techniques.                periodically assesses the   Policy, Security Requirements, and\n                                 appropriateness and         Certification Test and Evaluation\n                                 effectiveness of control    Plan and Procedures to confirm\n                                 techniques by updating      that each had been updated.\n                                 the Systems Security\n\n\n\n                                                             90\n\x0cCO    Control Objective           Control Activity           Test Procedure                         Results of Testing\nNo.\n                              Policy, Security\n                              Requirements, and\n                              Certification Test and\n                              Evaluation Plan and\n                              Procedures.\n80    Formal procedures guide DISA-Ogden                     DISA-Ogden                             Standard operating\n      system management       Formal procedures are          Read Standard Operating                procedures and DISA-\n      personnel in performing documented and                 Procedures used by DISA-Ogden          Ogden SSAA were not\n      their duties.           accessible to guide            personnel for performance of their     updated to reflect\n                              personnel in performing        job duties in respect to DPAS.         existing processes and\n                              their duties.                                                         procedures. During our\n                                                                                                    fieldwork, we noted that\n                                                                                                    standard operating\n                                                                                                    procedures had been\n                                                                                                    subsequently\n                                                                                                    documented.\n\n81    Access procedures           DFAS-Columbus              DFAS-Columbus                          No relevant exceptions\n      enforce the principles of   User Access profiles are   Read the access control policies and   noted.\n      separation of duties and    created for DPAS users     procedures for DISA-Ogden for\n      \xe2\x80\x9cleast privilege.\xe2\x80\x9d          to limit access to DPAS    compliance with the principles of\n                                  and enforce a separation   separation of duties and \xe2\x80\x9cleast\n                                  of duties.                 privilege.\xe2\x80\x9d\n\n\n\n82    Active supervision and      DISA-Ogden                 DISA-Ogden                             No relevant exceptions\n      review are provided for     A documented               Read the DISA-Ogden                    noted.\n\n\n\n                                                             91\n\x0cCO    Control Objective           Control Activity             Test Procedure                         Results of Testing\nNo.\n      all system management       management structure         organizational chart to confirm that\n      personnel.                  with supervision has         a management structure was\n                                  been established.            established.\n\n                                                               Read position descriptions of DPAS\n                                                               key support personnel to confirm\n                                                               supervisory responsibilities were\n                                                               established.\n      Application Controls\n1     Access controls have been   DFAS-Columbus                DFAS-Columbus                          No relevant exceptions\n      established to enforce      The system design            Observed the DPAS system to            noted.\n      segregation of duties.      permits only authorized      confirm that its design supported\n                                  users to enter, modify, or   segregating duties.\n                                  otherwise alter property\n                                  records.                     Observed DPAS to confirm that\n                                                               users must possess a valid Login\n                                  The system incorporates      and Password to gain access to the\n                                  adequate security            system. Observed the entering of an\n                                  features that prevent        invalid User ID and password to\n                                  unauthorized access to       confirm that the system displayed\n                                  the property system by       an error message to the user.\n                                  unauthorized individuals\n                                  to provide access control. Observed the DPAS system to\n                                                             confirm that each user account was\n                                  The system\xe2\x80\x99s design can assigned a Security Profile that\n                                  be observed and tested in restricted access by module,\n                                  a production replica.      program, UIC, and Hand Receipt.\n2     Controls provide            DFAS-Columbus              DFAS-Columbus                            No relevant exceptions\n\n\n                                                               92\n\x0cCO    Control Objective            Control Activity             Test Procedure                         Results of Testing\nNo.\n      reasonable assurance that    The system contains          Confirmed through observation          noted.\n      all asset acquisitions are   edits and validations that   that the DPAS system contained\n      recorded.                    assist the user in           edits and validations that assisted\n                                   adequately recording         the user in adequately entering\n                                   beginning balances,          beginning balances, acquisitions,\n                                   acquisitions, and            and withdrawals through required\n                                   withdrawals, and it          or restricted fields. Through re-\n                                   calculates ending            performance, attempted to proceed\n                                   balances expressed in        beyond window that contained\n                                   values and physical          fields without entry to confirm that\n                                   units, except for heritage   system prompts user with warning\n                                   assets and stewardship       message.\n                                   land for which all end of\n                                   period balances are\n                                   expressed in physical\n                                   units only.\n\n\n\n3     Controls provide             DFAS-Columbus                DFAS-Columbus                       No relevant exceptions\n      reasonable assurance that    The system contains          Observed fields in DPAS to          noted.\n      all asset disposals are      edits and validations that   confirm that they provided the user\n      recorded.                    assist the user in           the capability of indicating the\n                                   adequately identifying       asset for disposal or retirement.\n                                   property as or as held\n                                   for disposal or              Observed data fields in DPAS to\n                                   retirement.                  confirm that data entry into those\n                                                                data fields was required and\n\n\n\n                                                                93\n\x0cCO    Control Objective            Control Activity            Test Procedure                          Results of Testing\nNo.\n                                                               restricted to specified data values.\n                                                               Through re-performance,\n                                                               attempted to proceed beyond a\n                                                               window that contained fields\n                                                               without entry to confirm that the\n                                                               system prompts users with warning\n                                                               messages.\n4     Controls provide             DFAS-Columbus               DFAS-Columbus                           DPAS does not calculate\n      reasonable assurance that    The system provides         Confirmed through observation of        the annual amortization\n      all asset acquisitions are   users the capability of     the DPAS system that it had been        of estimated mat, clean-\n      recorded in accordance       capturing and               designed to enforce the DoD             up costs, and the\n      with DoD and                 categorizing capital        Financial Management Regulation         unamortized balance.\n                                   assets according to         (FMR) Volume 4, Chapter 6.\n      Federal entity\xe2\x80\x99s policy as   capitalization thresholds\n      applicable.                  in compliance with          Observed the DPAS system\'s\n                                   federal regulation.         capitalization key fields to confirm\n                                                               that it provided the user the\n                                                               capability of categorizing the asset\n                                                               as a capital asset (value over\n                                                               $100,000).\n\n                                                               Observed the DPAS system\'s\n                                                               validation messages that controlled\n                                                               the user\'s classification of an asset\n                                                               as a capital asset.\n\n                                                               Observed that the DPAS system\n                                                               calculated the annual amortization\n\n\n\n                                                               94\n\x0cCO    Control Objective           Control Activity             Test Procedure                         Results of Testing\nNo.\n                                                               of estimated material, clean-up\n                                                               costs, and the unamortized balance.\n\n5     Controls provide            DFAS-Columbus                DFAS-Columbus                          No relevant exceptions\n      reasonable assurance that   The system contains          Observed the system to confirm         noted.\n      depreciation charges are    edits and validations that   that it recorded depreciation\n      valid.                      assist the user in           charges for assets that were subject\n                                  accurately recording         to depreciation.\n                                  assets for depreciation.\n                                                               Observed fields that were required\n                                                               and or restricted for recording\n                                                               assets that were subject to\n                                                               depreciation.\n\n\n6     Controls provide            DFAS-Columbus                DFAS-Columbus                          No relevant exceptions\n      reasonable assurance that   Asset-related                Read DPAS SSAA Appendix D to           noted.\n      asset acquisitions are      transactions affecting the   confirm that DPAS contained\n      accurately recorded.        asset register and/or        technical controls over user access,\n                                  master file are edited       authorization, data integrity, and\n                                  and validated to prevent     data validation.\n                                  duplication and reduce\n                                  the likelihood of creating   Observed the DPAS system to\n                                  erroneous property           confirm that it included editing and\n                                  records to maintain the      validation functions that would not\n                                  integrity of data            permit duplication of a stock\n                                  recorded in the system;      number or serial number\n                                  identified errors are        combination, or a duplicate\n\n\n\n                                                               95\n\x0cCO    Control Objective   Control Activity             Test Procedure                         Results of Testing\nNo.\n                          corrected promptly.          barcode.\n\n                          The system contains          Observed the stock number, serial\n                          edits and validations that   number, and barcode fields to\n                          assist the user in           confirm that the user was\n                          accurately capturing the     prompted with an error message if\n                          method and costs of          the user entered a duplicate value.\n                          acquiring each property\n                          item or bulk property        Observed that significant error\n                          items including direct       messages, such as system aborts,\n                          purchase, completed          were logged to an error log file and\n                          work-in-process,             observed that the History Table\n                          completed internal user      captured asset transactional\n                          software in development,     activity.\n                          capital lease, donation,\n                          loan, grant, non-            Observed edits and validations\n                          reciprocal transfer or       were built into the system.\n                          reciprocal transfer, and     Confirmed through observation\n                          the date of the              that the system prompted users\n                          acquisition.                 with warning messages when values\n                                                       were not entered into required\n                                                       fields.\n\n                                                       Observed the application\'s Hand\n                                                       Receipt Module to confirm that it\n                                                       provided the user the capability of\n                                                       capturing the method of asset\n                                                       acquisition with the assignment of\n\n\n\n                                                       96\n\x0cCO    Control Objective           Control Activity            Test Procedure                         Results of Testing\nNo.\n                                                              the appropriate \xe2\x80\x9cAction Code\xe2\x80\x9d and\n                                                              \xe2\x80\x9cDate of Acquisition\xe2\x80\x9d when\n                                                              performing an \xe2\x80\x9cEnd Item\n                                                              Increase.\xe2\x80\x9d\n\n                                                              Observed that fields \xe2\x80\x9cAcquisition\n                                                              Date\xe2\x80\x9d and \xe2\x80\x9cAction Code\xe2\x80\x9d that\n                                                              allow a user to capture the method\n                                                              of asset acquisition, to confirm that\n                                                              the fields were required and\n                                                              restricted. Through re-\n                                                              performance, attempted to proceed\n                                                              beyond a window that contained\n                                                              Acquisition Date and Action Code\n                                                              without entry to confirm that the\n                                                              system prompted the user with a\n                                                              warning message.\n7     Controls provide            DFAS-Columbus               DFAS-Columbus                         No relevant exceptions\n      reasonable assurance that   The system calculates       Read the DPAS Help Manual to          noted.\n      asset disposals are         gain or loss at time of     confirm that the system calculates a\n      accurately calculated and   disposal or retirement,     gain or loss at the time of disposal.\n      recorded in accordance      sale, exchange, or\n      with USSGL policy.          donation.                   Observed the DPAS system to\n                                                              confirm that it provided a financial\n                                  The system for              transaction for calculation of gain\n                                  capitalized property        or loss at the time of disposal or\n                                  classifies Property Plant   retirement, sale, exchange, and\n                                  & Equipment according       donation.\n\n\n\n                                                              97\n\x0cCO    Control Objective   Control Activity            Test Procedure                         Results of Testing\nNo.\n                          to the USSGL and\n                          generates data for the      Observed that the transaction was\n                          journal entries necessary   logged in the History Table,\n                          for recording changes in    indicating transaction date, time,\n                          the valuation including     and the User ID of the person\n                          any associated gains or     entering the transaction.\n                          losses.\n\n\n                                                      Re-performed test and gain or loss\n                                                      calculations similar to depreciation\n                                                      re-performance tests to confirm\n                                                      that a gain or loss was accurately\n                                                      calculated.\n\n                                                      Observed the system to confirm\n                                                      that its configuration performed a\n                                                      cross-walk to the USSGL.\n\n                                                      Observed the application\'s asset\n                                                      code field to confirm that it\n                                                      provided the user the capability of\n                                                      classifying PP&E according to the\n                                                      USSGL.\n\n                                                      Observed the asset code field to\n                                                      confirm that it was a required or\n                                                      restricted field. Through re-\n\n\n\n                                                      98\n\x0cCO    Control Objective           Control Activity          Test Procedure                         Results of Testing\nNo.\n                                                             performance, attempted to proceed\n                                                             beyond a window that contained\n                                                             the asset code field without an\n                                                             entry to confirm that the system\n                                                             prompted users with a warning\n                                                             message.\n8     Controls provide            DFAS-Columbus              DFAS-Columbus                         No relevant exceptions\n      reasonable assurance that   The system contains        Read the electronic DPAS Help         noted.\n      depreciation charges are    edits and validations that Manual to confirm that the Asset\n      accurately calculated and   assist the user in         Control Code (ACC) identified the\n      recorded.                   aggregating like items     accounting class of assets and that\n                                  into pools for purposes    DPAS had capital threshold limits.\n                                  of calculating             Observed the application\'s Hand\n                                  depreciation; allows       Receipt module and Catalog\n                                  users to reassign an       module to confirm that they\n                                  average useful life and    provided the user the capability to\n                                  acquisition cost; and      aggregate homogeneous assets into\n                                  maintains original         asset pools via the ACC code field.\n                                  unique property records\n                                  for pooled items.\n                                                             Observed that ACC code was a\n                                  The system supports an     required and restricted field.\n                                  appropriate depreciation Through re-performance,\n                                  method, such as straight attempted to proceed beyond a\n                                  line, physical usage and   window without entering an ACC\n                                  the components needed      code to confirm that the system\n                                  to calculate depreciation, prompted users with warning a\n                                  amortization, or           message.\n\n\n\n                                                            99\n\x0cCO    Control Objective   Control Activity            Test Procedure                          Results of Testing\nNo.\n                          depletion expense\n                          including: original asset    Read Help Manual to confirm that\n                          value; estimated useful      it included an entire list of system\n                          life; and salvage or         permitted ACC codes.\n                          residual value.\n                                                       Observed the application\'s Catalog\n                          The system notifies the      module and Accounting module to\n                          user if information is       confirm that they provided the user\n                          needed for depreciation,     the capability of capturing the\n                          amortization or              estimated useful life, depreciation,\n                          depletion calculations       amortization, depletion method,\n                          when thresholds are          and salvage or residual value for\n                          exceeded.                    each asset or group of assets when\n                                                       applicable and that the system\n                                                       supported only the straight-line\n                                                       calculation method.\n                          Standard programmed\n                          algorithms perform           Observed the DPAS system to\n                          depreciation                 confirm that it prompted users\n                          calculations.                with the warning message\n                                                       \xe2\x80\x9cThreshold Exceeded\xe2\x80\x9d if value\n                                                       exceeded system\'s configured\n                                                       threshold.\n\n                                                       Re-performed deprecation\n                                                       algorithm for a haphazard sample\n                                                       of transactions to confirm correct\n                                                       calculation was being routinely\n\n\n\n                                                      100\n\x0cCO    Control Objective           Control Activity           Test Procedure                          Results of Testing\nNo.\n                                                             performed.\n9     Controls provide            DFAS-Columbus              DFAS-Columbus                           No relevant exceptions\n      reasonable assurance that   The system contains        Observed the application\'s Hand         noted.\n      recorded asset              edits and validations that Receipt module to confirm that it\n      acquisitions represent      prevent the user from      provided the user the capability of\n      assets acquired by the      entering erroneous data identifying an asset as Inbound,\n      organization.               for the acquisition of     Outbound, or Not Applicable by\n                                  property in-transit.       assigning the appropriate \xe2\x80\x9cIn-\n                                                             transit Code.\xe2\x80\x9d Observed that the\n                                                             In-transit Code field restricted the\n                                                             user to selecting one of the three\n                                                             options and defaulted to \xe2\x80\x9cNot\n                                                             Applicable.\xe2\x80\x9d\n\n\n                                                             Observed the application\'s Catalog\n                                                             and Document Register to confirm\n                                                             that they provided users the\n                                                             capability of tracking the In-transit\n                                                             Code of an asset by storing the\n                                                             asset\'s Contract Number. Observed\n                                                             that the Contract Number field\n                                                             could be pre-populated by Fed Log\n                                                             or populated by user entry and that\n                                                             this field was not restrictive.\n                                                             Observed the fields \xe2\x80\x9cIn-transit\n                                                             Code\xe2\x80\x9d and \xe2\x80\x9cContract Number\xe2\x80\x9d to\n                                                             confirm that they were required or\n\n\n\n                                                            101\n\x0cCO    Control Objective            Control Activity           Test Procedure                          Results of Testing\nNo.\n                                                               restricted. Through re-\n                                                               performance, attempted to proceed\n                                                               beyond a window that contained a\n                                                               Contract Number without an entry\n                                                               to confirm that the system\n                                                               prompted users with warning\n                                                               messages.\n\n\n10    Controls provide             DFAS-Columbus               DFAS-Columbus                      No relevant exceptions\n      reasonable assurance that    Personnel who are           Read the DPAS SSAA Appendix O, noted.\n      only valid changes are       responsible for asset       \xe2\x80\x9cDPAS Security Awareness\n      made to the asset register   transaction processing      Guide,\xe2\x80\x9d to confirm that the roles\n      and master file.             have neither                and responsibilities were defined\n                                   responsibility for asset    for the System Administrator, IAO,\n                                   master file maintenance     Site Security Officer, and Users.\n                                   nor update\n                                                              Observed documentation that\n                                   access to the asset master defined user roles and\n                                   file.                      responsibilities.\n\n                                                               Observed the application to\n                                                               confirm that users must possess a\n                                                               valid Login and Password to gain\n                                                               access to the system.\n\n                                                               Observed that each user account\n                                                               was assigned a Security Profile that\n\n\n\n                                                              102\n\x0cCO    Control Objective            Control Activity            Test Procedure                        Results of Testing\nNo.\n                                                                restricted access by module,\n                                                                program, UIC, and Hand Receipt.\n\n                                                                Observed documentation and\n                                                                communication between the PBO\n                                                                and the Information Systems\n                                                                Security Officer responsible for\n                                                                setting up Security Profile that\n                                                                dictated which modules and\n                                                                functions each user had access to.\n11    Controls provide             DISA-Dayton                  DISA-Dayton                          No standard operating\n      reasonable assurance that    Transactions that are        Confirmed through inquiry that       procedures existed for\n      erroneous transactions       reprocessed are              erroneous transactions were          monitoring transaction\n      are identified without       controlled in a similar      reprocessed in a similar manner to   processing. In addition,\n      being processed and          manner to the original       the original transactions.           error correction\n      without undue disruption     transactions with                                                 procedures were not\n      of the processing of other   appropriate                  Read Standard Operating              documented and\n      valid transactions.          modifications (for both      Procedures to confirm that           maintained. Finally, the\n                                   business process and         documented procedures existed for    majority of the\n                                   security controls).          monitoring transaction processing.   transaction processing,\n                                   The system provides an                                            monitoring, and error\n                                   audit trail of all           Observed that transactions were      correction functions were\n                                   transactions processed,      reprocessed in a manner similar to   performed by one\n                                   transaction errors, error    original transactions.               individual at DISA who\n                                   descriptions, and error                                           was the only person who\n                                   correction procedures.       Observed the batch status file to    had the full technical\n                                                                confirm that erroneous               knowledge of DPAS to\n                                                                transactions                         perform all of the\n\n\n\n                                                               103\n\x0cCO    Control Objective            Control Activity          Test Procedure                       Results of Testing\nNo.\n                                                             were monitored, identified, and      functions. The\n                                                             corrected.                           unavailability of this\n                                                                                                  person could impact the\n                                                             Observed the batch status file to    timeliness and quality of\n                                                             confirm that it recorded all         system transaction file\n                                                             successful and unsuccessful          processing.\n                                                             batches.\n\n                                                             Observed the Batch Error History\n                                                             report and descriptions to confirm\n                                                             that erroneous transactions were\n                                                             monitored, identified, and\n                                                             corrected and that correction\n                                                             procedures were recorded.\n12    Controls provide             DISA-Dayton               DISA-Dayton                          No relevant exceptions\n      reasonable assurance that    Interfaced inputs are     Confirmed through inquiry that       noted.\n      transaction data entered     automatically validated   interfaced inputs were\n      for processing via           by the system for missing automatically validated by the\n      automated interface are      information, format,      system for missing information,\n      subject to a variety of      consistency and           format, consistency and\n      controls to check for        reasonableness. Checks    reasonableness.\n      accuracy, completeness       for valid information are Observed the application to\n      and validity and that        made when inputs are      confirm that it would reject and not\n      input data are validated     received. Transactions    process erroneous transactions.\n      and edited as close to the   failing edit and\n      point of origination as      validation routines are   Observed log files that confirm the\n      possible.                    posted to a suspense file logging of successful and\n                                   and reported. Where a     unsuccessful transactions between\n\n\n\n                                                            104\n\x0cCO    Control Objective   Control Activity             Test Procedure                          Results of Testing\nNo.\n                          file contains valid and       interfaces.\n                          invalid transactions,         Observed the error file to confirm\n                          processing of valid           that erroneous transactions were\n                          transactions is not           monitored, identified, and\n                          delayed.                      corrected.\n\n                          Interfaced inputs are         Observed system batch files of\n                          transmitted in batch files    interfaced inputs for control totals\n                          and batch control totals      and line counts.\n                          are used to balance sent\n                          transactions to received      Observed the suspense file to\n                          transactions. Out-of-         confirm that erroneous\n                          balance conditions are        transactions were monitored,\n                          reported, corrected and       identified, and corrected.\n                          reentered.\n                                                        Inspected a haphazard sample of\n                                                        batch transaction errors to confirm\n                                                        that all 7 transaction errors were\n                                                        corrected.\n\n                                                        Observed that rerun transactions\n                                                        were subjected to the same quality\n                                                        review as the original transactions.\n\n\n\n\n                                                       105\n\x0c\x0cSection IV: Supplemental Information Provided by the Defense\n                Information Systems Agency\n\n\n\n\n                            107\n\x0c\x0cIV. Supplemental Information Provided by the Defense\nInformation Systems Agency\n\nThis section has been prepared by DISA and is included to provide user organizations\nwith information DISA believes will be of interest to such organizations but is not\ncovered in the scope or control objectives established for the Statement on Auditing\nStandards 70 review. Specifically included is a summary of procedures that DISA has\nput into place to enable recovery from a disaster affecting the DISA location where\nDPAS is housed and maintained.\n\nThis information has not been subjected to the procedures applied to the\nexamination of the description of controls presented in Sections II and III of this\nreport, and accordingly, the DoD OIG expresses no opinion regarding the\ncompleteness and accuracy of this information.\n\nTo accommodate a major disaster at any major DISA processing center, DISA has\nestablished the DISA Continuity and Test Facility (DCTF) at Slidell, LA. This facility is\nequipped with computational, DASD (Direct Access Storage Device), and\ntelecommunications resources sized to provide a fully functional host site with the\ncapacity to support a major disaster at any DISA processing center. The Continuity of\nOperations support agreement between DPAS as the customer and DISA as the provider\nof processing system and communications services provides for restoring host site\nprocessing in the event of a major disaster and the timely resolution of problems during\nother disruptions that adversely affect DPAS processing.\n\nThe enterprise backup process is managed by the DISA-Oklahoma City Storage Team.\nBackup tapes containing the incremental daily and the complete weekly backups are\ncreated at Dayton with DISA-Oklahoma City oversight. The tapes are rotated off-site to\nData Storage Centers in Cincinnati, OH, for storage on a predetermined schedule.\n\nThe Crisis Management Team (CMT) at DISA-Ogden is responsible for declaring that a\ndisaster has occurred and to initiate the Business Continuity Plan. The CMT will then\nactivate the following response teams: Communications Team, Recovery Coordination\nTeam, Site Recovery Team, and the Crisis Support Team (CST). In the event of disaster\nrecovery when the DISA-Oklahoma City or DISA-Ogden sites are not available to\nrestore the data, the DPAS customer has to request DISA-Dayton personnel to initiate the\ndata restore process. Each team has a specific set of responsibilities defined in the\nBusiness Continuity Plan. The contact information for each individual on each team is\nalso included in the Business Continuity Plan. The plan is required to be tested on an\nannual basis. DPAS personnel and select user sites participate in the yearly Continuity of\nOperations test to ensure that the process works correctly and that documentation is\nupdated appropriately.\n\n\n\n\n                                           109\n\x0c\x0cAcronyms and Abbreviations\nACC          Asset Control Code\nACL          Access Control List\nADP          Automated Data Processing\nCCB          Configuration Control Board\nCI           Configured Items\nCMTS         Configuration Management Tracking System\nDAA          Designated Approving Authority\nDECC         Defense Enterprise Computing Center\nDFAS         Defense Finance and Accounting Service\nDISA         Defense Information Systems Agency\nDISA OKC     DISA Oklahoma City\nDITSCAP      Department of Defense Information Technology Security Certification and\n             Accreditation Process\nDoD          Department of Defense\nDoD OIG      Department of Defense Office of Inspector General\nDPAS         Defense Property Accountability System\nFSO          Field Security Operations\nGOTS         Government off-the-Shelf\nHP/UX        Hewlett Packard/Unix\nIA           Information Assurance\nIAM          Information Assurance Manager\nIAO          Information Assurance Officer\nID           Identification\nIDS          Intrusion Detection System\nISS          Internet Security Systems\nIT           Information Technology\nMAC          Mission Assurance Category\nNAVSISA      Naval Supply Information Systems Activity\nNIST         National Institute of Standards and Technology\nNSA          National Security Agency\nPBO          Property Book Officer\nPDCD         Portable Data Collection Devices\nPTR          Program Trouble Report\nSAAR         System Authorization Access Request\nSCR          System Change Request\nSMC          System Management Center\nSRR          System Readiness Review\nSSAA         System Security Authorization Agreement\nSTIG         Security Technical Implementation Guide\nTASO         Terminal Area Security Officer\nUIC          Unit Identification Code\n\n\n\n                                  111\n\x0cULLS-S4   Unit Level Logistics System-Supply\nUSSGL     United States Government Standard General Ledger\nVMS       Vulnerability Management System\nVPN       Virtual Private Network\n\n\n\n\n                              112\n\x0cReport Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense, Acquisition, Technology and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nProgram Analysis and Evaluation\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\nCommanding Officer, Naval Supply Information Systems Activity\n\nCombatant Command\nU.S. Joint Forces Command\n\nOther Defense Organizations\nDefense Finance and Accounting Service\nDefense Information Systems Agency\n\nNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\nGeneral Accountability Office\n\nCongressional Committees and Subcommittees, Chairman and Ranking\nMinority Members\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\n  House Subcommittee on National Security, Emerging Threats, and International\n     Relations, Committee on Government Reform\n  House Subcommittee on Technology, Information Policy, Intergovernmental\n     Relations, and the Census, Committee on Government Reform\n\n\n\n\n                                         113\n\x0cTeam Members\nThe Defense Financial Auditing Service, Department of Defense Office of Inspector\nGeneral produced this report.\n\nPaul J. Granetto\nPatricia A. Marsh\nAddie M. Beima\nKenneth H. Stavenjord\nYolanda C. Watts\nLTC Shurman Vines\nJackie J. Vos\nWilliam Zeh\nCharles Dekle\nKimberly D. Brothers\nMichael E. Williams\n\x0c'